The cmdline_size already account for NUL terminator, you can see
this in xen_boot_binary_load(). The same property is set correctly
for Xen command line.
Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
From UEFI specifications 2.10, section 13.2.2, EFI_LOAD_FILE2_PROTOCOL.LoadFile
(see https://uefi.org/specs/UEFI/2.10/13_Protocols_Media_Access.html), for BufferSize:
On input the size of Buffer in bytes. On output with a return code
of EFI_SUCCESS, the amount of data transferred to Buffer. On output
with a return code of EFI_BUFFER_TOO_SMALL, the size of Buffer
required to retrieve the requested file.
So, set *buffer_size correctly.
Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
It turns out checking from userspace is not 100% reliable to figure out
whether the firmware had TPM2 support enabled or not. For example with
EDK2 arm64, the default upstream build config bundles TPM2 support with
SecureBoot support, so if the latter is disabled, TPM2 is also unavailable.
But still, the ACPI TPM2 table is created just as if it was enabled. So,
/sys/firmware/acpi/tables/TPM2 exists and looks correct but there are no
measurements, neither the firmware nor the loader/stub can do them, and
/sys/kernel/security/tpm0/binary_bios_measurements does not exist.
So, userspace cannot really tell what was going on in UEFI mode.
The loader can use the apposite UEFI protocol to check, which is a more
definitive answer. Export the bitmask with the list of active banks as-is.
If it's not 0, then in userspace we can be sure a working TPM2 was available
in UEFI mode.
systemd-boot and systemd-stub v258 (current main) set this variable and
userspace portion consumes it to be able to tell what was available in
the firmware context.
Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
libgcrypt itself is compiled with -Wno-sign-compare. Do the same for consistency.
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
HAVE_STRTOUL is now defined in stdlib.h. Include it in g10lib.h rather
than defining on command line.
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Libgcrypt code assumes that on x64 all SSE registers are fair game.
While it's true that CPUs in question support it, we disable it in
our compilation options. Disable the offending optimization.
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This allows us to test purely the integration of the implementation of
DSA and RSA from libgcrypt without concerning with additional code.
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This patches modifies the GRUB-libgcrypt API to match new libgcrypt 1.11.
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
We currently use an old version of libgcrypt which results in us having
fewer ciphers and missing on many other improvements.
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Not reusing these handles will result in image measurements showing up
twice in the event log.
On the occasion add missing grub_free() call.
Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Not reusing these handles will result in image measurements showing up
twice in the event log.
Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Not reusing these handles will result in image measurements showing up
twice in the event log.
Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Use loader protocol for image verification where available, otherwise
fall back to the old shim lock protocol.
Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
These can be used to register a different implementation later,
for example, when shim provides a protocol with those functions.
Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The Xen image is loaded with an alignment, not always at "start".
Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
More readable, could consume less space.
Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
We need to use FOR_LIST_ELEMENTS_SAFE() instead of FOR_LIST_ELEMENTS()
as single_binary_unload(), called during the loop, is changing the list
using grub_list_remove(). Given the environment probably the old code
simply removed only the first module on the list not freeing all the others.
Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
When attempting to build grub-emu the compilation failed with the
following error message:
include/grub/dl.h: In function ‘grub_dl_is_persistent’:
include/grub/dl.h:262:1: error: no return statement in function returning non-void [-Werror=return-type]
To avoid the error make the function always return 0.
Fixes: ba8eadde6be1 (dl: Provide a fake grub_dl_set_persistent() and grub_dl_is_persistent() for the emu target)
Signed-off-by: Gary Lin <glin@suse.com>
Cc: Daniel Axtens <dja@axtens.net>
Cc: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
In grub_cmd_initrd(), memory is allocated for variable initrd_ctx
before calling grub_relocator_alloc_chunk_align_safe(). When the
function call fails, initrd_ctx should be freed before exiting
grub_cmd_initrd().
Fixes: CID 473852
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Unload previous Linux kernel/initrd before updating the global variable
kernel_size. Otherwise the previous Linux kernel gets deallocated with
the kernel_size of the Linux kernel that is being currently loaded.
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
If a simple string for arguments are passed it should be NUL terminated.
This is true for other code but not for "linux" command.
Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This is more consistent with the above code using sizeof(grub_efi_char16_t).
Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Although the length should not exceed 2^31 grub_size_t is more
suitable for that variable. len is used to compute the size
of buffers which in C is a size_t, not a int. It is used
for GRUB_EFI_BYTES_TO_PAGES which expects unsigned values.
It is assigned to load_options_size which is unsigned, not signed.
Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The size passed to grub_utf8_to_utf16() for the source string is
used as a limit for the string if NUL character is not encountered.
However, len, which is "strlen(src) * 2 + 2" is surely greater than
strlen(src). Pass the exact correct length.
Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
If the following allocation fails this would leave load_options NULL
while load_options_size not valid. If the allocation succeed
load_options_size is overwritten.
Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
(grub_size_t) -1 is never returned, the function always return
a not negative values. This is important for overflows considerations.
Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Commit 40e261b89b71 (lib/LzmaEnc: Validate "len" before subtracting)
ensures that the variable len is at least 2. As a result, GetLenToPosState(len)
never returns a value greater than or equal to kNumLenToPosStates,
making the changes introduced in the commit 16c0dbf4bc6a (lzma: Make
sure we don't dereference past array) unreachable and no longer necessary.
This reverts commit 16c0dbf4bc6a (lzma: Make sure we don't dereference past array).
Fixes: CID 481982
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Correct a test failure in netboot_test and file_filter_test caused by an
issue cleaning up the tmp directory created for netboot. Netboot creates
a subdirectory in the tmp folder that causes the rmdir to fail - so
cleanup the subdirectory first.
Fixes: 1d59f39b5f1b (tests/util/grub-shell: Remove the work directory on successful run and debug is not on)
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Tested-by: Leo Sandoval <lsandova@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
In bidi_line_wrap(), "kk - 1" in the for loop init, "i = kk - 1",
underflows when "kk" (unsigned int) is 0. Assigning the result of
"kk - 1" to signed int "i" may cause overflow. To address both
issues, cast "kk" to a signed type before subtraction to ensure
safe arithmetic and assignment.
Fixed: CID 473874
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Trying to start grub-emu with a module that calls grub_dl_set_persistent()
and grub_dl_is_persistent() will crash because grub-emu fakes modules and
passes NULL to the module init function.
Provide an empty function for the emu case.
Fixes: ee7808e2197c (dl: Add support for persistent modules)
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
In function protect_tpm2_export_tpm2key(), the "err" variable
is uninitialized in the normal (error free) path, so ensure this
defaults to GRUB_ERR_NONE.
This causes the GRUB build to fail with clang (observed with clang-14).
Fixes: 5934bf51c (util/grub-protect: Support NV index mode)
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This patch resolved a minor issue spotted by Coverity:
a983d36bd917 (gnulib/regexec: Resolve unused variable)
But, it was removed by the Gnulib update:
2b7902459803 (Update gnulib version and drop most gnulib patches)
It caused Coverity to continue to flag the issue. Daniel Kiper
suggested to bring back the patch a983d36bd917 (gnulib/regexec: Resolve
unused variable).
Fixes: CID 292459
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Pull in Gnulib fix to allow lib/base64.c to compile using GCC 15 or newer.
Pulled from Gnulib commit 25df6dc425 (Silence some
-Wunterminated-string-initialization warnings.)
GCC 15 adds a new compiler warning "-Wunterminated-string-initialization"
that will trigger what is considered a false-positive in lib/base64.c as
this array is not treated as a string but an array of characters so the
lack of NUL string terminator is expected.
GCC team has added ability to flag such instances of arrays that the
compiler may think are strings as "nonstring" arrays to avoid this
warning: __attribute__((nonstring)).
Fixes: https://savannah.gnu.org/bugs/?66470
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
In the function merge_state_with_log(), memory is allocated for the variable
next_nodes when creating a union of the variables table_nodes and log_nodes.
However, if next_state->entrance_nodes is NULL, then table_nodes becomes NULL
and we still allocate memory to copy the content of log_nodes. This can cause
a resource leak since we only free the memory for next_nodes if table_nodes
isn't NULL. To prevent this, we need to check that next_state->entrance_nodes
isn't NULL before allocating memory for the union.
This issue has been fixed in the latest version of gnulib and I've backported
this change to maintain consistency.
This issue was found by a Coverity scan of GRUB2 under the CID 473887.
Fixes: CID 473887
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
In the functions create_initial_state() and calc_eclosure_iter(), memory
is allocated for the elems member of a re_node_set structure but that
memory isn't freed on error. Before returning an error, a call to
re_node_set_free() should be made to prevent the resource leak.
This issue has been fixed in the latest version of gnulib and I've
backported this change to maintain consistency.
This issue was found by a Coverity scan of GRUB2 under the following
CIDs: 473869, 473888.
Fixes: CID 473869
Fixes: CID 473888
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Add a few more tests to seal and unseal the key with the SHA-384 PCR
bank instead of the default SHA-256 PCR bank.
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
TPM 2.0 Key File format stores the PCR selection in the parameters
for TPM2_PolicyPCR and it already contains the selected PCR bank.
Currently, tpm2_key_protector dumped the PCR bank specified by the
--bank option, and it may not be the PCR bank for key unsealing.
To dump the real PCR bank for key unsealing, this commit records the PCR
bank used by TPM2_PolicyPCR and dumps PCR values from that bank when
necessary.
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
For tpm2_key_protector and grub-protect, SHA-256 is chosen as the hash
algorithm for the TPM session. However, grub-protect mistakenly used the
hash algorithm of the PCR bank to calculate PCR digest. If the user
chose a PCR bank other than SHA-256, grub-protect created a non-SHA-256
PCR digest to seal the key. But, tpm2_key_protector expects a SHA-256
PCR digest to the TPM unsealing session, so it would fail due to digest
mismatch.
This commit fixes the hash algorithm of PCR digest in grub-protect to
avoid the potential unsealing failure.
Fixes: https://github.com/lcp/grub2/issues/4
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Several new header files have been added to GRUB which need
to be manually added to the dist archive. This allows building
from the tar archive created by "make dist".
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This file is auto-generated based on the selected platform and should
not be included in the source tarball.
Fixes: 6744840b (build: Track explicit module dependencies in Makefile.core.def)
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
In LzmaEnc_CodeOneBlock(), both GetOptimumFast() and GetOptimum()
returns a value of greater or equal to 1, which is assigned to
"len". But since LZMA_MATCH_LEN_MIN == 2, "len" should be validated
before performing "len - LZMA_MATCH_LEN_MIN" to avoid underflow
when "len" equals to 1.
Fixes: CID 51508
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
