Re: [PATCH V4] ieee1275/ofdisk: vscsi lun handling on lun len
Message: 3
Date: Mon, 11 Nov 2024 14:42:55 +0530
From: Mukesh Kumar Chaurasiya
To: grub-devel@gnu.org
Cc: meghanaprak...@in.ibm.com, avn...@linux.vnet.ibm.com,
brk...@linux.vnet.ibm.com, mamat...@linux.vnet.ibm.com,
mchau...@linux.vnet.ibm.com, Mukesh Kumar Chaurasiya
Subject: [PATCH V4] ieee1275/ofdisk: vscsi lun handling on lun len
Message-ID: <2024091254.775590-2-mchau...@linux.ibm.com>
The information about "vscsi-report-luns" data is a list of disk
details
with pairs of memory addresses and lengths.
8 bytes 8 bytes
lun-addr ---> 8 bytes
^| buf-addr | lun-count| > -
| | lun |
|| buf-addr | lun-count| | -
"len" | | ... |
||... | | -
| | | lun |
|| buf-addr | lun-count| | -
V |
|---> -
| lun |
-
| ... |
-
| lun |
-
The way the expression (args.table + 4 + 8 * i) is used is incorrect
and
can be confusing. The list of LUNs doesn't end with NULL, indicated by
while (*ptr). Usually, this loop doesn't process any LUNs because it
ends
before checking any as first reported LUN is likely to be 0. The list
of
LUNs ends based on its length, not by a NULL value.
Signed-off-by: Mukesh Kumar Chaurasiya
---
grub-core/disk/ieee1275/ofdisk.c | 30 +++---
1 file changed, 19 insertions(+), 11 deletions(-)
diff --git a/grub-core/disk/ieee1275/ofdisk.c
b/grub-core/disk/ieee1275/ofdisk.c
index c6cba0c8a..b446bb1e7 100644
--- a/grub-core/disk/ieee1275/ofdisk.c
+++ b/grub-core/disk/ieee1275/ofdisk.c
@@ -43,6 +43,12 @@ struct ofdisk_hash_ent
struct ofdisk_hash_ent *next;
};
+struct lun_buf
+{
+ grub_uint64_t buf_addr;
+ grub_uint64_t lun_count;
+};
+
static grub_err_t
grub_ofdisk_get_block_size (const char *device, grub_uint32_t
*block_size,
struct ofdisk_hash_ent *op);
@@ -222,8 +228,9 @@ dev_iterate (const struct grub_ieee1275_devalias
*alias)
grub_ieee1275_cell_t table;
}
args;
+ struct lun_buf *tbl;
char *buf, *bufptr;
- unsigned i;
+ unsigned int i, j;
if (grub_ieee1275_open (alias->path, &ihandle))
return;
@@ -248,17 +255,18 @@ dev_iterate (const struct grub_ieee1275_devalias
*alias)
return;
bufptr = grub_stpcpy (buf, alias->path);
+ tbl = (struct lun_len *) args.table;
for (i = 0; i < args.nentries; i++)
- {
- grub_uint64_t *ptr;
-
- ptr = *(grub_uint64_t **) (args.table + 4 + 8 * i);
- while (*ptr)
- {
- grub_snprintf (bufptr, 32, "/disk@%" PRIxGRUB_UINT64_T,
*ptr++);
- dev_iterate_real (buf, buf);
- }
- }
+{
+ grub_uint64_t *ptr;
+
+ ptr = (grub_uint64_t *)(grub_addr_t) tbl[i].buf_addr;
+ for (j = 0; j < tbl[i].lun_count; j++)
+ {
+ grub_snprintf (bufptr, 32, "/disk@%" PRIxGRUB_UINT64_T,
*ptr++);
+ dev_iterate_real (buf, buf);
+ }
+}
grub_ieee1275_close (ihandle);
grub_free (buf);
return;
--
2.47.0
--
Reviewed-by: Avnish Chouhan
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH v22 33/33] docs: Document TPM2 key protector
On 11/11/24 2:45 AM, Gary Lin via Grub-devel wrote:
Update the user manual to address TPM2 key protector including the two
related commands, tpm2_key_protector_init and tpm2_key_protector_clear,
and the user-space utility: grub-protect.
Signed-off-by: Gary Lin
Reviewed-by: Daniel Kiper
Reviewed-by: Stefan Berger
---
docs/grub.texi | 525 +
1 file changed, 525 insertions(+)
diff --git a/docs/grub.texi b/docs/grub.texi
index fdd49d62e..71bd6d932 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -6443,6 +6443,8 @@ you forget a command, you can run the command
@command{help}
* smbios:: Retrieve SMBIOS information
* source:: Read a configuration file in same context
* test::Check file types and compare values
+* tpm2_key_protector_init:: Initialize the TPM2 key protector
+* tpm2_key_protector_clear::Clear the TPM2 key protector
* true::Do nothing, successfully
* trust:: Add public key to list of trusted keys
* unset:: Unset an environment variable
@@ -8001,6 +8003,58 @@ either @var{expression1} or @var{expression2} is true
@end table
@end deffn
+@node tpm2_key_protector_init
+@subsection tpm2_key_protector_init
+
+@deffn Command tpm2_key_protector_init [@option{-m} mode] | [@option{-p}
pcrlist] | [@option{-b} pcrbank] | [ [@option{-T} tpm2key_file] | [@option{-k}
keyfile] ] | [@option{-s} handle] | [@option{-a} srk_type] | [@option{-n}
nv_index]
+Initialize the TPM2 key protector to unseal the key for the
@command{cryptomount}
+(@pxref{cryptomount}) command. There are two supported modes,
+SRK(@kbd{srk}) and NV index(@kbd{nv}), to be specified by the option
+@option{-m}. The default mode is SRK. The main difference between SRK mode
+and NV index mode is the storage of the sealed key. For SRK mode, the sealed
+key is stored in a file while NV index mode stores the sealed key in the
+non-volatile memory inside TPM with a given NV index.
+
+The @option{-p} and @option{-b} options are used to supply the PCR list and
+bank that the key is sealed with. The PCR list is a comma-separated list, e.g.,
+'0,2,4,7,9', to represent the involved PCRs, and the default is '7'. The PCR
+bank is chosen by selecting a hash algorithm. The current supported PCR banks
+are SHA1, SHA256, SHA384, and SHA512, and the default is SHA256.
+
+Some options are only available for the specific mode. The SRK-specific
+options are @option{-T}, @option{-k}, @option{-a}, and @option{-s}. On the
+other hand, the NV index-specific option is @option{-n}.
+
+The key file for SRK mode can be supplied with either @option{-T} or
+@option{-k}. The @option{-T} option is for the path to the key file in
+TPM 2.0 Key File format. Since the parameters for the TPM commands are written
+in the file, there is no need to set the PCR list(@option{-p}) and
+bank(@option{-b}) when using the @option{-T} option. The @option{-k} option
+is for the key file in the raw format, and the @option{-p} and @option{-b}
+options are necessary for the non-default PCR list or bank. In general,
+TPM 2.0 Key File format is preferred due to the simplified GRUB command
+options and the authorized policy support
+
+Besides the key file, there are two options, @option{-a} and @option{-s}, to
+tweak the TPM Storage Root Key (SRK). The SRK can be either created at
+runtime or stored in the non-volatile memory. When creating SRK at runtime,
+GRUB provides the SRK template to the TPM to create the key. There are two SRK
+templates for the @option{-a} option, ECC and RSA, and the default is ECC.
+If the SRK is stored in a specific handle, e.g. @code{0x8101}, the
+@option{-s} option can be used to set the handle to notify GRUB to load
+the SRK from the given handle.
+
+The only NV index-specific option is the @option{-n} option which is used to
+set the NV index containing the sealed key. Then GRUB can load the sealed
+key and unseal it with the given PCR list and bank.
+@end deffn
+
+@node tpm2_key_protector_clear
+@subsection tpm2_key_protector_clear
+
+@deffn Command tpm2_key_protector_clear
+Clear the TPM2 key protector if previously initialized.
+@end deffn
@node true
@subsection true
@@ -8529,6 +8583,7 @@ environment variables and commands are listed in the same
order.
* Secure Boot Advanced Targeting:: Embedded information for generation
number based revocation
* Measured Boot::Measuring boot components
* Lockdown:: Lockdown when booting on a secure setup
+* TPM2 key protector:: Managing disk key with TPM2 key protector
@end menu
@node Authentication and authorisation
@@ -8772,6 +8827,310 @@ be restricted and some operations/commands cannot be
executed.
The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.
Otherwise it does not exit.
+@nod
[PATCH V4] ieee1275/ofdisk: vscsi lun handling on lun len
The information about "vscsi-report-luns" data is a list of disk details
with pairs of memory addresses and lengths.
8 bytes 8 bytes
lun-addr ---> 8 bytes
^| buf-addr | lun-count| > -
| | lun |
|| buf-addr | lun-count| | -
"len" | | ... |
||... | | -
| | | lun |
|| buf-addr | lun-count| | -
V |
|---> -
| lun |
-
| ... |
-
| lun |
-
The way the expression (args.table + 4 + 8 * i) is used is incorrect and
can be confusing. The list of LUNs doesn't end with NULL, indicated by
while (*ptr). Usually, this loop doesn't process any LUNs because it ends
before checking any as first reported LUN is likely to be 0. The list of
LUNs ends based on its length, not by a NULL value.
Signed-off-by: Mukesh Kumar Chaurasiya
---
grub-core/disk/ieee1275/ofdisk.c | 30 +++---
1 file changed, 19 insertions(+), 11 deletions(-)
diff --git a/grub-core/disk/ieee1275/ofdisk.c b/grub-core/disk/ieee1275/ofdisk.c
index c6cba0c8a..b446bb1e7 100644
--- a/grub-core/disk/ieee1275/ofdisk.c
+++ b/grub-core/disk/ieee1275/ofdisk.c
@@ -43,6 +43,12 @@ struct ofdisk_hash_ent
struct ofdisk_hash_ent *next;
};
+struct lun_buf
+{
+ grub_uint64_t buf_addr;
+ grub_uint64_t lun_count;
+};
+
static grub_err_t
grub_ofdisk_get_block_size (const char *device, grub_uint32_t *block_size,
struct ofdisk_hash_ent *op);
@@ -222,8 +228,9 @@ dev_iterate (const struct grub_ieee1275_devalias *alias)
grub_ieee1275_cell_t table;
}
args;
+ struct lun_buf *tbl;
char *buf, *bufptr;
- unsigned i;
+ unsigned int i, j;
if (grub_ieee1275_open (alias->path, &ihandle))
return;
@@ -248,17 +255,18 @@ dev_iterate (const struct grub_ieee1275_devalias *alias)
return;
bufptr = grub_stpcpy (buf, alias->path);
+ tbl = (struct lun_len *) args.table;
for (i = 0; i < args.nentries; i++)
- {
- grub_uint64_t *ptr;
-
- ptr = *(grub_uint64_t **) (args.table + 4 + 8 * i);
- while (*ptr)
- {
- grub_snprintf (bufptr, 32, "/disk@%" PRIxGRUB_UINT64_T, *ptr++);
- dev_iterate_real (buf, buf);
- }
- }
+{
+ grub_uint64_t *ptr;
+
+ ptr = (grub_uint64_t *)(grub_addr_t) tbl[i].buf_addr;
+ for (j = 0; j < tbl[i].lun_count; j++)
+ {
+ grub_snprintf (bufptr, 32, "/disk@%" PRIxGRUB_UINT64_T, *ptr++);
+ dev_iterate_real (buf, buf);
+ }
+}
grub_ieee1275_close (ihandle);
grub_free (buf);
return;
--
2.47.0
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH] Mandatory install device check for PowerPC
Hello,
thanks for the patch!
On Sat, Nov 09, 2024 at 11:20:08AM +0530, avnish wrote:
> Hi Vladimir,
> Thank you so much for your response!
>
> I have fine tuned the patch as per the last discussion (sorry, I missed the
> v2 tag). This latest patch will add install device check only to PowerPC
> machines. PowerMacs aren't affected by this change. The check is added when
> platform is detected as "GRUB_INSTALL_PLATFORM_POWERPC_IEEE1275" along with
> machine detected as non PowerMac. As per my Power platform analysis,
> currently in "grub_install.c", it detects PowerMacs based on the file system
> detected (HFS or HFS+) and set the "is_prep" as 0 based on this finding.
> This new check will only be applicable to PowerPC. And in case of PowerMacs,
> it will allow grub_install even without mentioning the install device.
> Thank you!
>
>
> Regards,
> Avnish Chouhan
> > --
> >
> > Message: 5
> > Date: Fri, 8 Nov 2024 15:07:29 +0300
> > From: "Vladimir 'phcoder' Serbinenko"
> > To: The development of GNU GRUB
> > Subject: Re: [PATCH] Mandatory install device check for PowerPC
> > Message-ID:
> >
> > Content-Type: text/plain; charset="utf-8"
> >
> > As discussed in another thread, this breaks installing from x86 onto
> > removable disk for PPC Mac which is a supported workflow
Please be more specific. I cannot find how this version of the patch
still breaks other platforms. Given that you are talking about
cross-installation form x86 this should be eeasy to test given detailed
description.
> >
> > Le ven. 8 nov. 2024, 14:13, Avnish Chouhan a
> > écrit :
> >
> > > This patch adds a check on install_device while installing grub for
> > > PowerPC.
> > > If install_device is not mentioned in grub2-install and machine is
> > > detected
> > > as PowerPC, the error will be thrown and it will terminates the
> > > grub2-install
> > > operation. Running grub2-install on PowerPC without the
> > > install_device may
> > > result in bootlist corruption. When no install device is specified, it
> > > attempts
> > > to load images from the filesystem, which leads to nvram bootlist
> > > corruption.
> > > The idea is to fail the operation and avoid creating the invalid boot
> > > entry.
> > >
> > > Signed-off-by: Avnish Chouhan
> > > ---
> > > grub-install.c | 11 +++
> > > 1 file changed, 11 insertions(+)
Before here there is this code:
if (install_device)
is_prep = 1;
This is the root of the problem. The code sets is_prep based on user
input, and when the input is wrong is_prep remains wrongly unset,
leading to bogus entry written to bootlist, and the system becoming
unbootable.
Instead this code shuld be removed, and is_prep initialized to 1.
> > >
> > > diff --git a/util/grub-install.c b/util/grub-install.c
> > > index 7dc5657..a049f53 100644
> > > --- a/util/grub-install.c
> > > +++ b/util/grub-install.c
> > > @@ -1289,6 +1289,17 @@ main (int argc, char *argv[])
> > > is_prep = 0;
Here is_prep is unset when a Mac boot partition is found. With that
initializing is_prep to 1 gives sound logic for determining if the
system looks like a PowerMac or not.
There is the possibility that grub-install would run on a PowerMac, and
the Mac boot partition is not given by the user nor autodetected but
there is not much that can be done about that given cross-installation
is supported. This case can't work currently either.
> > > }
> > > }
> > > + else
This logic is still not sound. Though unlikely grub-install can find
something that looks like a Mac boot partition (is_guess is 1) but is
not one (does not unset is_prep).
Instead of
else if (!install_device)
if (is_prep && !install_device)
can be used when is_prep is initialized to true unconditionally. Then
the code above sets is_prep to false when a Mac partition is found, and
if none is found and install device is not set it's an error.
> > > +{
> > > + /*
> > > + * As the machine has been detected as PowerPC and not the
> > > PowerMac. We need to check
> > > + * whether the install_device has been mentioned while
> > > installing. If no device has been
> > > + * mentioned, we need to exit and mark it as an error as the
> > > install_device is required for
> > > + * PowerPC installation. An installation with no device
> > > mentioned may lead to corruptions.
> > > + */
> > > + if (!install_device)
> > > + grub_util_error ("%s", _("install device isn't specified
> > > required for PowerPC"));
This message is rather awkward and misleading.
I think something like "install device required on PReP platform" is as
good as it gets.
The platform naming is quite unfortunate. The port to Power family of
CPUs is called powerpc or ppc but PowerPC refers to the desktop family
of CPUs found mainly in PowerMac hardware.
PReP is a standard originally meant for use with PowerPC based hardware,
and that's whe
Re: [PATCH] kern/fs: honour file->read_hook in grub_fs_blocklist_read()
On Tue, Oct 15 2024, Daniel Kiper wrote: > On Fri, Oct 11, 2024 at 08:12:59PM +0200, Rasmus Villemoes via Grub-devel > wrote: >> "Vladimir 'phcoder' Serbinenko" writes: >> >> > Reviewed-by: phco...@gmail.com > > Reviewed-by: Daniel Kiper > >> Thanks. Can this be picked up, please? > > I will take it together with other patches in next round... > Sorry for nagging you, but this seems to have fallen through the cracks. Rasmus ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v22 33/33] docs: Document TPM2 key protector
Update the user manual to address TPM2 key protector including the two
related commands, tpm2_key_protector_init and tpm2_key_protector_clear,
and the user-space utility: grub-protect.
Signed-off-by: Gary Lin
Reviewed-by: Daniel Kiper
---
docs/grub.texi | 525 +
1 file changed, 525 insertions(+)
diff --git a/docs/grub.texi b/docs/grub.texi
index fdd49d62e..71bd6d932 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -6443,6 +6443,8 @@ you forget a command, you can run the command
@command{help}
* smbios:: Retrieve SMBIOS information
* source:: Read a configuration file in same context
* test::Check file types and compare values
+* tpm2_key_protector_init:: Initialize the TPM2 key protector
+* tpm2_key_protector_clear::Clear the TPM2 key protector
* true::Do nothing, successfully
* trust:: Add public key to list of trusted keys
* unset:: Unset an environment variable
@@ -8001,6 +8003,58 @@ either @var{expression1} or @var{expression2} is true
@end table
@end deffn
+@node tpm2_key_protector_init
+@subsection tpm2_key_protector_init
+
+@deffn Command tpm2_key_protector_init [@option{-m} mode] | [@option{-p}
pcrlist] | [@option{-b} pcrbank] | [ [@option{-T} tpm2key_file] | [@option{-k}
keyfile] ] | [@option{-s} handle] | [@option{-a} srk_type] | [@option{-n}
nv_index]
+Initialize the TPM2 key protector to unseal the key for the
@command{cryptomount}
+(@pxref{cryptomount}) command. There are two supported modes,
+SRK(@kbd{srk}) and NV index(@kbd{nv}), to be specified by the option
+@option{-m}. The default mode is SRK. The main difference between SRK mode
+and NV index mode is the storage of the sealed key. For SRK mode, the sealed
+key is stored in a file while NV index mode stores the sealed key in the
+non-volatile memory inside TPM with a given NV index.
+
+The @option{-p} and @option{-b} options are used to supply the PCR list and
+bank that the key is sealed with. The PCR list is a comma-separated list, e.g.,
+'0,2,4,7,9', to represent the involved PCRs, and the default is '7'. The PCR
+bank is chosen by selecting a hash algorithm. The current supported PCR banks
+are SHA1, SHA256, SHA384, and SHA512, and the default is SHA256.
+
+Some options are only available for the specific mode. The SRK-specific
+options are @option{-T}, @option{-k}, @option{-a}, and @option{-s}. On the
+other hand, the NV index-specific option is @option{-n}.
+
+The key file for SRK mode can be supplied with either @option{-T} or
+@option{-k}. The @option{-T} option is for the path to the key file in
+TPM 2.0 Key File format. Since the parameters for the TPM commands are written
+in the file, there is no need to set the PCR list(@option{-p}) and
+bank(@option{-b}) when using the @option{-T} option. The @option{-k} option
+is for the key file in the raw format, and the @option{-p} and @option{-b}
+options are necessary for the non-default PCR list or bank. In general,
+TPM 2.0 Key File format is preferred due to the simplified GRUB command
+options and the authorized policy support
+
+Besides the key file, there are two options, @option{-a} and @option{-s}, to
+tweak the TPM Storage Root Key (SRK). The SRK can be either created at
+runtime or stored in the non-volatile memory. When creating SRK at runtime,
+GRUB provides the SRK template to the TPM to create the key. There are two SRK
+templates for the @option{-a} option, ECC and RSA, and the default is ECC.
+If the SRK is stored in a specific handle, e.g. @code{0x8101}, the
+@option{-s} option can be used to set the handle to notify GRUB to load
+the SRK from the given handle.
+
+The only NV index-specific option is the @option{-n} option which is used to
+set the NV index containing the sealed key. Then GRUB can load the sealed
+key and unseal it with the given PCR list and bank.
+@end deffn
+
+@node tpm2_key_protector_clear
+@subsection tpm2_key_protector_clear
+
+@deffn Command tpm2_key_protector_clear
+Clear the TPM2 key protector if previously initialized.
+@end deffn
@node true
@subsection true
@@ -8529,6 +8583,7 @@ environment variables and commands are listed in the same
order.
* Secure Boot Advanced Targeting:: Embedded information for generation
number based revocation
* Measured Boot::Measuring boot components
* Lockdown:: Lockdown when booting on a secure setup
+* TPM2 key protector:: Managing disk key with TPM2 key protector
@end menu
@node Authentication and authorisation
@@ -8772,6 +8827,310 @@ be restricted and some operations/commands cannot be
executed.
The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.
Otherwise it does not exit.
+@node TPM2 key protector
+@section TPM2 key protector in GRUB
+
+TPM2 key protector extends measured boot to unlock the
[PATCH v22 30/33] diskfilter: look up cryptodisk devices first
When using disk auto-unlocking with TPM 2.0, the typical grub.cfg may
look like this:
tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/grub/sealed.tpm
cryptomount -u -P tpm2
search --fs-uuid --set=root
Since the disk search order is based on the order of module loading, the
attacker could insert a malicious disk with the same FS-UUID root to
trick GRUB to boot into the malicious root and further dump memory to
steal the unsealed key.
Do defend against such an attack, we can specify the hint provided by
'grub-probe' to search the encrypted partition first:
search --fs-uuid --set=root --hint='cryptouuid/'
However, for LVM on an encrypted partition, the search hint provided by
'grub-probe' is:
--hint='lvmid//'
It doesn't guarantee to look up the logical volume from the encrypted
partition, so the attacker may have the chance to fool GRUB to boot
into the malicious disk.
To minimize the attack surface, this commit tweaks the disk device search
in diskfilter to look up cryptodisk devices first and then others, so
that the auto-unlocked disk will be found first, not the attacker's disk.
Cc: Fabian Vogt
Signed-off-by: Gary Lin
Reviewed-by: Stefan Berger
Reviewed-by: Daniel Kiper
---
grub-core/disk/diskfilter.c | 31 ++-
1 file changed, 22 insertions(+), 9 deletions(-)
diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c
index 21e239511..606195c26 100644
--- a/grub-core/disk/diskfilter.c
+++ b/grub-core/disk/diskfilter.c
@@ -226,15 +226,28 @@ scan_devices (const char *arname)
int need_rescan;
for (pull = 0; pull < GRUB_DISK_PULL_MAX; pull++)
-for (p = grub_disk_dev_list; p; p = p->next)
- if (p->id != GRUB_DISK_DEVICE_DISKFILTER_ID
- && p->disk_iterate)
- {
- if ((p->disk_iterate) (scan_disk_hook, NULL, pull))
- return;
- if (arname && is_lv_readable (find_lv (arname), 1))
- return;
- }
+{
+ /* look up the crytodisk devices first */
+ for (p = grub_disk_dev_list; p; p = p->next)
+ if (p->id == GRUB_DISK_DEVICE_CRYPTODISK_ID && p->disk_iterate)
+ {
+ if ((p->disk_iterate) (scan_disk_hook, NULL, pull))
+ return;
+ if (arname && is_lv_readable (find_lv (arname), 1))
+ return;
+ break;
+ }
+
+ /* check the devices other than crytodisk */
+ for (p = grub_disk_dev_list; p; p = p->next)
+ if (p->id != GRUB_DISK_DEVICE_DISKFILTER_ID && p->disk_iterate)
+ {
+ if ((p->disk_iterate) (scan_disk_hook, NULL, pull))
+ return;
+ if (arname && is_lv_readable (find_lv (arname), 1))
+ return;
+ }
+}
scan_depth = 0;
need_rescan = 1;
--
2.43.0
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH 2/4 v11] disk/lvm: Remove unused cache_pool
cache_pool is never read or used, remove it
Signed-off-by: Patrick Plenefisch
---
grub-core/disk/lvm.c | 25 -
1 file changed, 25 deletions(-)
diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
index 36023279f..286132d74 100644
--- a/grub-core/disk/lvm.c
+++ b/grub-core/disk/lvm.c
@@ -37,7 +37,6 @@ GRUB_MOD_LICENSE ("GPLv3+");
struct ignored_feature_lv
{
struct grub_diskfilter_lv *lv;
- char *cache_pool;
char *origin;
struct ignored_feature_lv *next;
};
@@ -127,7 +126,6 @@ grub_lvm_free_ignored_feature_lvs (struct
ignored_feature_lv *ignored_feature_lv
}
grub_free (ignored_feature->lv);
grub_free (ignored_feature->origin);
- grub_free (ignored_feature->cache_pool);
grub_free (ignored_feature);
}
}
@@ -844,28 +842,6 @@ grub_lvm_detect (grub_disk_t disk,
skip_lv = 1;
- p2 = grub_strstr (p, "cache_pool = \"");
- if (!p2)
-goto ignored_feature_lv_fail;
-
- p2 = grub_strchr (p2, '"');
- if (!p2)
-goto ignored_feature_lv_fail;
-
- p3 = ++p2;
- if (p3 == mda_end)
-goto ignored_feature_lv_fail;
- p3 = grub_strchr (p3, '"');
- if (!p3)
-goto ignored_feature_lv_fail;
-
- sz = p3 - p2;
-
- ignored_feature->cache_pool = grub_malloc (sz + 1);
- if (!ignored_feature->cache_pool)
-goto ignored_feature_lv_fail;
- grub_memcpy (ignored_feature->cache_pool, p2, sz);
- ignored_feature->cache_pool[sz] = '\0';
p2 = grub_strstr (p, "origin = \"");
if (!p2)
@@ -898,7 +874,6 @@ grub_lvm_detect (grub_disk_t disk,
if (ignored_feature)
{
grub_free (ignored_feature->origin);
- grub_free (ignored_feature->cache_pool);
if (ignored_feature->lv)
{
grub_free (ignored_feature->lv->fullname);
--
2.39.5
From db91a2a2a565dc4cb1d9e90221df3ee21df181b2 Mon Sep 17 00:00:00 2001
From: Patrick Plenefisch
Date: Tue, 13 Aug 2024 20:15:37 -0400
Subject: [PATCH 2/4] disk/lvm: Remove unused cache_pool
cache_pool is never read or used, remove it
Signed-off-by: Patrick Plenefisch
---
grub-core/disk/lvm.c | 25 -
1 file changed, 25 deletions(-)
diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
index 36023279f..286132d74 100644
--- a/grub-core/disk/lvm.c
+++ b/grub-core/disk/lvm.c
@@ -37,7 +37,6 @@ GRUB_MOD_LICENSE ("GPLv3+");
struct ignored_feature_lv
{
struct grub_diskfilter_lv *lv;
- char *cache_pool;
char *origin;
struct ignored_feature_lv *next;
};
@@ -127,7 +126,6 @@ grub_lvm_free_ignored_feature_lvs (struct ignored_feature_lv *ignored_feature_lv
}
grub_free (ignored_feature->lv);
grub_free (ignored_feature->origin);
- grub_free (ignored_feature->cache_pool);
grub_free (ignored_feature);
}
}
@@ -844,28 +842,6 @@ grub_lvm_detect (grub_disk_t disk,
skip_lv = 1;
- p2 = grub_strstr (p, "cache_pool = \"");
- if (!p2)
- goto ignored_feature_lv_fail;
-
- p2 = grub_strchr (p2, '"');
- if (!p2)
- goto ignored_feature_lv_fail;
-
- p3 = ++p2;
- if (p3 == mda_end)
- goto ignored_feature_lv_fail;
- p3 = grub_strchr (p3, '"');
- if (!p3)
- goto ignored_feature_lv_fail;
-
- sz = p3 - p2;
-
- ignored_feature->cache_pool = grub_malloc (sz + 1);
- if (!ignored_feature->cache_pool)
- goto ignored_feature_lv_fail;
- grub_memcpy (ignored_feature->cache_pool, p2, sz);
- ignored_feature->cache_pool[sz] = '\0';
p2 = grub_strstr (p, "origin = \"");
if (!p2)
@@ -898,7 +874,6 @@ grub_lvm_detect (grub_disk_t disk,
if (ignored_feature)
{
grub_free (ignored_feature->origin);
- grub_free (ignored_feature->cache_pool);
if (ignored_feature->lv)
{
grub_free (ignored_feature->lv->fullname);
--
2.39.5
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH 1/4 v11] disk/lvm: Make cache_lv more generic as ignored_feature_lv
This patch isn't necessary by itself, but when combined with the next
two patchs it enhances readability as ignored_features_lv is then used
for multiple types of extra LV's, not just cache LV's
Signed-off-by: Patrick Plenefisch
---
grub-core/disk/lvm.c | 176 +--
1 file changed, 88 insertions(+), 88 deletions(-)
diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
index 0c32c95f9..36023279f 100644
--- a/grub-core/disk/lvm.c
+++ b/grub-core/disk/lvm.c
@@ -34,12 +34,12 @@
GRUB_MOD_LICENSE ("GPLv3+");
-struct cache_lv
+struct ignored_feature_lv
{
struct grub_diskfilter_lv *lv;
char *cache_pool;
char *origin;
- struct cache_lv *next;
+ struct ignored_feature_lv *next;
};
@@ -105,30 +105,30 @@ grub_lvm_check_flag (const char *p, const char
*str, const char *flag)
}
static void
-grub_lvm_free_cache_lvs (struct cache_lv *cache_lvs)
+grub_lvm_free_ignored_feature_lvs (struct ignored_feature_lv
*ignored_feature_lvs)
{
- struct cache_lv *cache;
+ struct ignored_feature_lv *ignored_feature;
- while ((cache = cache_lvs))
+ while ((ignored_feature = ignored_feature_lvs))
{
- cache_lvs = cache_lvs->next;
+ ignored_feature_lvs = ignored_feature_lvs->next;
- if (cache->lv)
+ if (ignored_feature->lv)
{
unsigned int i;
- for (i = 0; i < cache->lv->segment_count; ++i)
-if (cache->lv->segments)
- grub_free (cache->lv->segments[i].nodes);
- grub_free (cache->lv->segments);
- grub_free (cache->lv->fullname);
- grub_free (cache->lv->idname);
- grub_free (cache->lv->name);
+ for (i = 0; i < ignored_feature->lv->segment_count; ++i)
+if (ignored_feature->lv->segments)
+ grub_free (ignored_feature->lv->segments[i].nodes);
+ grub_free (ignored_feature->lv->segments);
+ grub_free (ignored_feature->lv->fullname);
+ grub_free (ignored_feature->lv->idname);
+ grub_free (ignored_feature->lv->name);
}
- grub_free (cache->lv);
- grub_free (cache->origin);
- grub_free (cache->cache_pool);
- grub_free (cache);
+ grub_free (ignored_feature->lv);
+ grub_free (ignored_feature->origin);
+ grub_free (ignored_feature->cache_pool);
+ grub_free (ignored_feature);
}
}
@@ -325,7 +325,7 @@ grub_lvm_detect (grub_disk_t disk,
if (! vg)
{
- struct cache_lv *cache_lvs = NULL;
+ struct ignored_feature_lv *ignored_feature_lvs = NULL;
/* First time we see this volume group. We've to create the
whole volume group structure. */
@@ -810,105 +810,105 @@ grub_lvm_detect (grub_disk_t disk,
else if (grub_memcmp (p, "cache\"",
sizeof ("cache\"") - 1) == 0)
{
- struct cache_lv *cache = NULL;
+ struct ignored_feature_lv *ignored_feature = NULL;
char *p2, *p3;
grub_size_t sz;
- cache = grub_zalloc (sizeof (*cache));
- if (!cache)
-goto cache_lv_fail;
- cache->lv = grub_zalloc (sizeof (*cache->lv));
- if (!cache->lv)
-goto cache_lv_fail;
- grub_memcpy (cache->lv, lv, sizeof (*cache->lv));
+ ignored_feature = grub_zalloc (sizeof (*ignored_feature));
+ if (!ignored_feature)
+goto ignored_feature_lv_fail;
+ ignored_feature->lv = grub_zalloc (sizeof
(*ignored_feature->lv));
+ if (!ignored_feature->lv)
+goto ignored_feature_lv_fail;
+ grub_memcpy (ignored_feature->lv, lv, sizeof
(*ignored_feature->lv));
if (lv->fullname)
{
- cache->lv->fullname = grub_strdup (lv->fullname);
- if (!cache->lv->fullname)
-goto cache_lv_fail;
+ ignored_feature->lv->fullname = grub_strdup (lv->fullname);
+ if (!ignored_feature->lv->fullname)
+goto ignored_feature_lv_fail;
}
if (lv->idname)
{
- cache->lv->idname = grub_strdup (lv->idname);
- if (!cache->lv->idname)
-goto cache_lv_fail;
+ ignored_feature->lv->idname = grub_strdup (lv->idname);
+ if (!ignored_feature->lv->idname)
+goto ignored_feature_lv_fail;
}
if (lv->name)
{
- cache->lv->name = grub_strdup (lv->name);
- if (!cache->lv->name)
-goto cache_lv_fail;
+ ignored_feature->lv->name = grub_strdup (lv->name);
+ if (!ignored_feature->lv->name)
+goto ignored_feature_lv_fail;
}
skip_lv = 1;
p2 = grub_strstr (p, "cache_pool = \"");
if (!p2)
-goto cache_lv_fail;
+goto ignored_feature_lv_fail;
p2 = grub_strchr (p2, '"');
if (!
[PATCH 0/4 v11] LVM Cachevol and Integrity volumes break entire LVM VG
In an effort to solve
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061168 for myself,
I implemented basic support for cachevol and integrity volumes in LVM.
This is just an extension of the cachepool support that already
existed, and just like that support, I ignore all of the metadata and
just go for the data. This obviously means that writing to "writeback"
cachepools, and any raidintegrity volumes will cause corruption as
before, but as grub only reads files, I think that should be fine.
Without these patches, a system with /boot on a LV with cachevol or
integrity volumes will fail to boot
These patches are also available attached and at
https://github.com/byteit101/grub2/commits/grub-lvmintegrity/
Patrick Plenefisch (4):
disk/lvm: Make cache_lv more generic as ignored_feature_lv
disk/lvm: Remove unused cache_pool
lvm: Add support for integrity lv
lvm: Add support for cachevol lv
grub-core/disk/diskfilter.c | 6 +-
grub-core/disk/lvm.c| 267 ++--
2 files changed, 136 insertions(+), 137 deletions(-)
--
2.39.5
From d6331463f5235f490700856005bda2a4e01d4c60 Mon Sep 17 00:00:00 2001
From: Patrick Plenefisch
Date: Mon, 11 Nov 2024 13:15:35 -0500
Subject: [PATCH 3/4] lvm: Add support for integrity lv
lv matching must be done after processing the ignored feature
indirections, as integrity volumes & caches may have several levels
of indirection that the segments must be shifted through.
pv matching must be completely finished before validating a
volume, otherwise referenced raid stripes may not have pv
data applied yet
This patch contains a change requested by Daniel Kiper to use
a null character instead of an integer zero to terminate strings
Signed-off-by: Patrick Plenefisch
---
grub-core/disk/diskfilter.c | 6 ++-
grub-core/disk/lvm.c| 86 +++--
2 files changed, 57 insertions(+), 35 deletions(-)
diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c
index 21e239511..dc3bd943b 100644
--- a/grub-core/disk/diskfilter.c
+++ b/grub-core/disk/diskfilter.c
@@ -966,8 +966,6 @@ grub_diskfilter_vg_register (struct grub_diskfilter_vg *vg)
for (lv = vg->lvs; lv; lv = lv->next)
{
- grub_err_t err;
-
/* RAID 1 and single-disk RAID 0 don't use a chunksize but code
assumes one so set one. */
for (i = 0; i < lv->segment_count; i++)
@@ -979,6 +977,10 @@ grub_diskfilter_vg_register (struct grub_diskfilter_vg *vg)
&& lv->segments[i].stripe_size == 0)
lv->segments[i].stripe_size = 64;
}
+}
+ for (lv = vg->lvs; lv; lv = lv->next)
+{
+ grub_err_t err;
err = validate_lv(lv);
if (err)
diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
index 286132d74..abb5b12ae 100644
--- a/grub-core/disk/lvm.c
+++ b/grub-core/disk/lvm.c
@@ -805,13 +805,27 @@ grub_lvm_detect (grub_disk_t disk,
seg->nodes[seg->node_count - 1].name = tmp;
}
}
- else if (grub_memcmp (p, "cache\"",
- sizeof ("cache\"") - 1) == 0)
+ /*
+ * Cache and integrity LVs have extra parts that
+ * we can ignore for our read-only access
+ */
+ else if (grub_strncmp (p, "cache\"",
+ sizeof ("cache\"") - 1) == 0
+ || grub_strncmp (p, "integrity\"",
+ sizeof ("integrity\"") - 1) == 0)
{
struct ignored_feature_lv *ignored_feature = NULL;
char *p2, *p3;
grub_size_t sz;
+#ifdef GRUB_UTIL
+ p2 = grub_strchr (p, '"');
+ if (p2)
+ *p2 = '\0';
+ grub_util_info ("Ignoring extra metadata type '%s' for %s", p, lv->name);
+ if (p2)
+ *p2 ='"';
+#endif
ignored_feature = grub_zalloc (sizeof (*ignored_feature));
if (!ignored_feature)
@@ -892,7 +906,7 @@ grub_lvm_detect (grub_disk_t disk,
char *p2;
p2 = grub_strchr (p, '"');
if (p2)
- *p2 = 0;
+ *p2 = '\0';
grub_util_info ("unknown LVM type %s", p);
if (p2)
*p2 ='"';
@@ -936,36 +950,6 @@ grub_lvm_detect (grub_disk_t disk,
}
}
- /* Match lvs. */
- {
- struct grub_diskfilter_lv *lv1;
- struct grub_diskfilter_lv *lv2;
- for (lv1 = vg->lvs; lv1; lv1 = lv1->next)
- for (i = 0; i < lv1->segment_count; i++)
- for (j = 0; j < lv1->segments[i].node_count; j++)
- {
- if (vg->pvs)
- for (pv = vg->pvs; pv; pv = pv->next)
- {
- if (! grub_strcmp (pv->name,
- lv1->segments[i].nodes[j].name))
- {
- lv1->segments[i].nodes[j].pv = pv;
- break;
- }
- }
- if (lv1->segments[i].nodes[j].pv == NULL)
- for (lv2 = vg->lvs; lv2; lv2 = lv2->next)
- {
- if (lv1 == lv2)
- continue;
- if (grub_strcmp (lv2->name,
- lv1->segments[i].nodes[j].name) == 0)
- lv1->segments[i].nodes[j].lv = lv2;
- }
- }
-
- }
{
struct ignored_feature_lv *ignored_feature;
@@ -1014,9 +998,45 @@ grub_lvm_detect (grub_disk_t disk,
ignored_featu
[PATCH 3/4 v11] lvm: Add support for integrity lv
lv matching must be done after processing the ignored feature
indirections, as integrity volumes & caches may have several levels
of indirection that the segments must be shifted through.
pv matching must be completely finished before validating a
volume, otherwise referenced raid stripes may not have pv
data applied yet
This patch contains a change requested by Daniel Kiper to use
a null character instead of an integer zero to terminate strings
Signed-off-by: Patrick Plenefisch
---
grub-core/disk/diskfilter.c | 6 ++-
grub-core/disk/lvm.c| 86 +++--
2 files changed, 57 insertions(+), 35 deletions(-)
diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c
index 21e239511..dc3bd943b 100644
--- a/grub-core/disk/diskfilter.c
+++ b/grub-core/disk/diskfilter.c
@@ -966,8 +966,6 @@ grub_diskfilter_vg_register (struct grub_diskfilter_vg *vg)
for (lv = vg->lvs; lv; lv = lv->next)
{
- grub_err_t err;
-
/* RAID 1 and single-disk RAID 0 don't use a chunksize but code
assumes one so set one. */
for (i = 0; i < lv->segment_count; i++)
@@ -979,6 +977,10 @@ grub_diskfilter_vg_register (struct grub_diskfilter_vg *vg)
&& lv->segments[i].stripe_size == 0)
lv->segments[i].stripe_size = 64;
}
+}
+ for (lv = vg->lvs; lv; lv = lv->next)
+{
+ grub_err_t err;
err = validate_lv(lv);
if (err)
diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
index 286132d74..abb5b12ae 100644
--- a/grub-core/disk/lvm.c
+++ b/grub-core/disk/lvm.c
@@ -805,13 +805,27 @@ grub_lvm_detect (grub_disk_t disk,
seg->nodes[seg->node_count - 1].name = tmp;
}
}
- else if (grub_memcmp (p, "cache\"",
- sizeof ("cache\"") - 1) == 0)
+ /*
+ * Cache and integrity LVs have extra parts that
+ * we can ignore for our read-only access
+ */
+ else if (grub_strncmp (p, "cache\"",
+ sizeof ("cache\"") - 1) == 0
+ || grub_strncmp (p, "integrity\"",
+ sizeof ("integrity\"") - 1) == 0)
{
struct ignored_feature_lv *ignored_feature = NULL;
char *p2, *p3;
grub_size_t sz;
+#ifdef GRUB_UTIL
+ p2 = grub_strchr (p, '"');
+ if (p2)
+*p2 = '\0';
+ grub_util_info ("Ignoring extra metadata type '%s' for
%s", p, lv->name);
+ if (p2)
+*p2 ='"';
+#endif
ignored_feature = grub_zalloc (sizeof (*ignored_feature));
if (!ignored_feature)
@@ -892,7 +906,7 @@ grub_lvm_detect (grub_disk_t disk,
char *p2;
p2 = grub_strchr (p, '"');
if (p2)
-*p2 = 0;
+*p2 = '\0';
grub_util_info ("unknown LVM type %s", p);
if (p2)
*p2 ='"';
@@ -936,36 +950,6 @@ grub_lvm_detect (grub_disk_t disk,
}
}
- /* Match lvs. */
- {
-struct grub_diskfilter_lv *lv1;
-struct grub_diskfilter_lv *lv2;
-for (lv1 = vg->lvs; lv1; lv1 = lv1->next)
- for (i = 0; i < lv1->segment_count; i++)
-for (j = 0; j < lv1->segments[i].node_count; j++)
- {
-if (vg->pvs)
- for (pv = vg->pvs; pv; pv = pv->next)
-{
- if (! grub_strcmp (pv->name,
- lv1->segments[i].nodes[j].name))
-{
- lv1->segments[i].nodes[j].pv = pv;
- break;
-}
-}
-if (lv1->segments[i].nodes[j].pv == NULL)
- for (lv2 = vg->lvs; lv2; lv2 = lv2->next)
-{
- if (lv1 == lv2)
-continue;
- if (grub_strcmp (lv2->name,
- lv1->segments[i].nodes[j].name) == 0)
-lv1->segments[i].nodes[j].lv = lv2;
-}
- }
-
- }
{
struct ignored_feature_lv *ignored_feature;
@@ -1014,9 +998,45 @@ grub_lvm_detect (grub_disk_t disk,
ignored_feature->lv = NULL;
}
}
+ else
+ {
+#ifdef GRUB_UTIL
+ grub_util_info ("Couldn't find LVM part of ignored
feature on %s", ignored_feature->origin);
+#endif
+ }
}
}
+ /* Match lvs. Must be done after cache and integrity are found */
+ {
+struct grub_diskfilter_lv *lv1;
+struct grub_diskfilter_lv *lv2;
+for (lv1 = vg->lvs; lv1; lv1 = lv1->next)
+ for (i = 0; i < lv1->segment_count; i++)
+for (j = 0; j < lv1->segments[i].node_count; j++)
+ {
+if (vg->pvs)
+ for (pv = vg->pvs; pv; pv = pv->next)
+{
+ if (! grub_strcmp (pv->name,
+ lv1->segments[i].nodes[j].name))
+{
+ lv1->segments[i].nodes[j].pv = pv;
+ break;
+}
+
[PATCH 4/4 v11] lvm: Add support for cachevol lv
Mark cachevol lv's as ignored features, which is true
only if they are configured as "writethrough". This patch
does not let grub boot from "writeback" cache-enabled lv's
Signed-off-by: Patrick Plenefisch
---
grub-core/disk/lvm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
index abb5b12ae..02e359827 100644
--- a/grub-core/disk/lvm.c
+++ b/grub-core/disk/lvm.c
@@ -811,6 +811,8 @@ grub_lvm_detect (grub_disk_t disk,
*/
else if (grub_strncmp (p, "cache\"",
sizeof ("cache\"") - 1) == 0
+ || grub_strncmp (p, "cache+CACHE_USES_CACHEVOL\"",
+ sizeof ("cache+CACHE_USES_CACHEVOL\"") - 1) == 0
|| grub_strncmp (p, "integrity\"",
sizeof ("integrity\"") - 1) == 0)
{
--
2.39.5
From 0b24c91dddc3a8ef039fd27eae7fbea56c05aee5 Mon Sep 17 00:00:00 2001
From: Patrick Plenefisch
Date: Mon, 11 Nov 2024 13:18:39 -0500
Subject: [PATCH 4/4] lvm: Add support for cachevol lv
Mark cachevol lv's as ignored features, which is true
only if they are configured as "writethrough". This patch
does not let grub boot from "writeback" cache-enabled lv's
Signed-off-by: Patrick Plenefisch
---
grub-core/disk/lvm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
index abb5b12ae..02e359827 100644
--- a/grub-core/disk/lvm.c
+++ b/grub-core/disk/lvm.c
@@ -811,6 +811,8 @@ grub_lvm_detect (grub_disk_t disk,
*/
else if (grub_strncmp (p, "cache\"",
sizeof ("cache\"") - 1) == 0
+ || grub_strncmp (p, "cache+CACHE_USES_CACHEVOL\"",
+ sizeof ("cache+CACHE_USES_CACHEVOL\"") - 1) == 0
|| grub_strncmp (p, "integrity\"",
sizeof ("integrity\"") - 1) == 0)
{
--
2.39.5
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH v22 32/33] tests: Add tpm2_key_protector_test
On 11/11/24 2:45 AM, Gary Lin wrote:
For the tpm2_key_protector module, the TCG2 command submission function
is the only difference between a QEMU instance and grub-emu. To test
TPM2 key unsealing with a QEMU instance, it requires an extra OS image
to invoke grub-protect to seal the LUKS key, rather than a simple
grub-shell rescue CD image. On the other hand, grub-emu can share the
emulated TPM2 device with the host, so that we can seal the LUKS key on
host and test key unsealing with grub-emu.
This test script firstly creates a simple LUKS image to be loaded as a
loopback device in grub-emu. Then an emulated TPM2 device is created by
"swtpm chardev" and PCR 0 and 1 are extended.
There are several test cases in the script to test various settings. Each
test case uses grub-protect or tpm2-tools to seal the LUKS password
with PCR 0 and PCR 1. Then grub-emu is launched to load the LUKS image,
try to mount the image with tpm2_key_protector_init and cryptomount, and
verify the result.
Based on the idea from Michael Chang.
Cc: Michael Chang
Cc: Stefan Berger
Cc: Glenn Washburn
Signed-off-by: Gary Lin
Reviewed-by: Daniel Kiper
Reviewed-by: Stefan Berger
---
Makefile.util.def| 6 +
tests/tpm2_key_protector_test.in | 389 +++
tests/util/grub-shell.in | 6 +-
3 files changed, 400 insertions(+), 1 deletion(-)
create mode 100644 tests/tpm2_key_protector_test.in
diff --git a/Makefile.util.def b/Makefile.util.def
index 074c0aff7..038253b37 100644
--- a/Makefile.util.def
+++ b/Makefile.util.def
@@ -1290,6 +1290,12 @@ script = {
common = tests/asn1_test.in;
};
+script = {
+ testcase = native;
+ name = tpm2_key_protector_test;
+ common = tests/tpm2_key_protector_test.in;
+};
+
program = {
testcase = native;
name = example_unit_test;
diff --git a/tests/tpm2_key_protector_test.in b/tests/tpm2_key_protector_test.in
new file mode 100644
index 0..a92e5f498
--- /dev/null
+++ b/tests/tpm2_key_protector_test.in
@@ -0,0 +1,389 @@
+#! @BUILD_SHEBANG@ -e
+
+# Test GRUBs ability to unseal a LUKS key with TPM 2.0
+# Copyright (C) 2024 Free Software Foundation, Inc.
+#
+# GRUB is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# GRUB is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GRUB. If not, see
Re: [PATCH v3 02/16] term/terminfo: for ppc, reset console display attr when clear screen
Message: 4
Date: Thu, 10 Oct 2024 15:43:20 -0600
From: Leo Sandoval
To: grub-devel@gnu.org
Subject: [PATCH v3 02/16] term/terminfo: for ppc, reset console
display attr when clear screen
Message-ID: <20241010214334.1749167-3-lsand...@redhat.com>
Content-Type: text/plain; charset="US-ASCII"; x-default=true
From: Paulo Flabiano Smorigo
v2: Also use \x0c instead of a literal ^L to make future patches less
awkward.
This should fix this bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=908519
Signed-off-by: Peter Jones
Signed-off-by: Paulo Flabiano Smorigo
Signed-off-by: Robbie Harwood
---
grub-core/term/terminfo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/term/terminfo.c b/grub-core/term/terminfo.c
index 4e534c683..3dbe88e89 100644
--- a/grub-core/term/terminfo.c
+++ b/grub-core/term/terminfo.c
@@ -151,7 +151,7 @@ grub_terminfo_set_current (struct grub_term_output
*term,
/* Clear the screen. Using serial console, screen(1) only
recognizes the
* ANSI escape sequence. Using video console, Apple Open
Firmware
* (version 3.1.1) only recognizes the literal ^L. So use both.
*/
- data->cls = grub_strdup ("
\e[2J");
+ data->cls = grub_strdup ("\x0c\e[2J\e[m");
data->reverse_video_on = grub_strdup ("\e[7m");
data->reverse_video_off = grub_strdup ("\e[m");
if (grub_strcmp ("ieee1275", str) == 0)
--
2.46.2
--
Reviewed-by: Avnish Chouhan
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
