Re: [SECURITY PATCH 2/8] commands/search: Introduce the --cryptodisk-only argument

Small nitpick, otherwise Reviewed-by: Vladimir Serbinenko phco...@gmail.com Le jeu. 8 mai 2025, 20:03, Daniel Kiper via Grub-devel a écrit : > From: Maxim Suhanov > > This allows users to restrict the "search" command's scope to > encrypted disks only. > > Typically, this command is used to "re

Re: [RFC PATCH] commands/efi: add a command to dump all UEFI runtime variables

Le ven. 9 mai 2025, 13:15, khaalid cali a écrit : > From: khaalid > > This command is intended to print or dump all UEFI runtime services. > The structure will look like efivar tool, since visually most people are > familiar with it. If the variable content is string then dump it as > string, ot

Re: [SECURITY PATCH 4/8] commands/search: Add the diskfilter support

Le jeu. 8 mai 2025, 20:04, Daniel Kiper via Grub-devel a écrit : > From: Maxim Suhanov > > When the --cryptodisk-only argument is given, also check the target > device using the "cryptocheck" command, if available. > > This extends the checks to common layouts like LVM-on-LUKS, so the > --crypto

Re: [SECURITY PATCH 8/8] cryptocheck: Add --quiet option

Can we use extcmd for this? > > >if (disk->dev->id == GRUB_DISK_DEVICE_DISKFILTER_ID) > { > + char opt[] = "--quiet"; > + char *args[2]; > + >cmd = grub_command_find ("cryptocheck"); >if (cmd == NULL) /* No diskfilter module loaded for some reason. */ >

Re: [SECURITY PATCH 3/8] disk/diskfilter: Introduce the "cryptocheck" command

Le jeu. 8 mai 2025, 20:04, Daniel Kiper via Grub-devel a écrit : > From: Maxim Suhanov > > This command examines a given diskfilter device, e.g., an LVM disk, > and checks if underlying disks, physical volumes, are cryptodisks, > e.g., LUKS disks, this layout is called "LVM-on-LUKS". > > The ret

Re: [SECURITY PATCH 6/8] disk/cryptodisk: Add the "erase secrets" function

Le jeu. 8 mai 2025, 20:04, Daniel Kiper via Grub-devel a écrit : > From: Maxim Suhanov > > This commit adds the grub_cryptodisk_erasesecrets() function to wipe > master keys from all cryptodisks. This function is EFI-only. > > Since there is no easy way to "force unmount" a given encrypted disk,

Re: [SECURITY PATCH 7/8] disk/cryptodisk: Wipe the passphrase from memory

Reviewed-by: Vladimir Serbinenko phco...@gmail.com Regards Vladimir 'phcoder' Serbinenko Le jeu. 8 mai 2025, 20:04, Daniel Kiper via Grub-devel a écrit : > From: Maxim Suhanov > > Switching to another EFI boot application while there are secrets in > RAM is dangerous, because not all firmware

Re: [SECURITY PATCH 00/08] GRUB2 vulnerabilities - 2025/05/08

Daniel Kiper on Thu, 2025/05/08 19:02: > [...] Now all the GRUB2 upstream patches are in > the GRUB2 git repository [2] too. > > [...] > > [2] https://git.savannah.gnu.org/gitweb/?p=grub.git > https://git.savannah.gnu.org/git/grub.git Does not look like... The last commit is still 4abac0ad5a

Re: [SECURITY PATCH 00/08] GRUB2 vulnerabilities - 2025/05/08

On Fri, May 09, 2025 at 09:47:05AM +0200, Christian Hesse wrote: > Daniel Kiper on Thu, 2025/05/08 19:02: > > [...] Now all the GRUB2 upstream patches are in > > the GRUB2 git repository [2] too. > > > > [...] > > > > [2] https://git.savannah.gnu.org/gitweb/?p=grub.git > > https://git.savannah

[RFC PATCH] commands/efi: add a command to dump all UEFI runtime variables

From: khaalid This command is intended to print or dump all UEFI runtime services. The structure will look like efivar tool, since visually most people are familiar with it. If the variable content is string then dump it as string, otherwise for non string variables print them as raw hex; just th