kumquat-buildroot/boot/grub2/grub2.mk
Thomas Petazzoni 65c99394ff boot/grub2: backport fixes for numerous CVEs
Grub 2.06 is affected by a number of CVEs, which have been fixed in
the master branch of Grub, but are not yet part of any release (there
is a 2.12-rc1 release, but nothing else between 2.06 and 2.12-rc1).

So this patch backports the relevant fixes for CVE-2022-28736,
CVE-2022-28735, CVE-2021-3695, CVE-2021-3696, CVE-2021-3697,
CVE-2022-28733, CVE-2022-28734, CVE-2022-2601 and CVE-2022-3775.

It should be noted that CVE-2021-3695, CVE-2021-3696, CVE-2021-3697
are not reported as affecting Grub by our CVE matching logic because
the NVD database uses an incorrect CPE ID in those CVEs: it uses
"grub" as the product instead of "grub2" like all other CVEs for
grub. This issue has been reported to the NVD maintainers.

This requires backporting a lot of patches, but jumping from 2.06 to
2.12-rc1 implies getting 592 commits, which is quite a lot.

All Grub test cases are working fine:

  https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500585
  https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500679

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Arnout: fix check-package warning in patch 0002]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-08-30 21:54:23 +02:00

217 lines
7.9 KiB
Makefile

################################################################################
#
# grub2
#
################################################################################
GRUB2_VERSION = 2.06
GRUB2_SITE = http://ftp.gnu.org/gnu/grub
GRUB2_SOURCE = grub-$(GRUB2_VERSION).tar.xz
GRUB2_LICENSE = GPL-3.0+
GRUB2_LICENSE_FILES = COPYING
GRUB2_DEPENDENCIES = host-bison host-flex host-grub2
HOST_GRUB2_DEPENDENCIES = host-bison host-flex
GRUB2_INSTALL_IMAGES = YES
# 0001-Makefile-Make-grub_fstest.pp-depend-on-config-util.h.patch
define GRUB2_AVOID_AUTORECONF
$(Q)touch $(@D)/Makefile.in
endef
GRUB2_POST_PATCH_HOOKS += GRUB2_AVOID_AUTORECONF
HOST_GRUB2_POST_PATCH_HOOKS += GRUB2_AVOID_AUTORECONF
# CVE-2019-14865 is about a flaw in the grub2-set-bootflag tool, which
# doesn't exist upstream, but is added by the Redhat/Fedora
# packaging. Not applicable to Buildroot.
GRUB2_IGNORE_CVES += CVE-2019-14865
# CVE-2020-15705 is related to a flaw in the use of the
# grub_linuxefi_secure_validate(), which was added by Debian/Ubuntu
# patches. The issue doesn't affect upstream Grub, and
# grub_linuxefi_secure_validate() is not implemented in the grub2
# version available in Buildroot.
GRUB2_IGNORE_CVES += CVE-2020-15705
# 0002-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch
GRUB2_IGNORE_CVES += CVE-2021-3981
# vulnerability is specific to the SUSE distribution
GRUB2_IGNORE_CVES += CVE-2021-46705
# 0005-loader-efi-chainloader-Use-grub_loader_set_ex.patch
GRUB2_IGNORE_CVES += CVE-2022-28736
# 0006-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch
GRUB2_IGNORE_CVES += CVE-2022-28735
# 0010-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
GRUB2_IGNORE_CVES += CVE-2021-3695
# 0011-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch
GRUB2_IGNORE_CVES += CVE-2021-3696
# 0012-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch
GRUB2_IGNORE_CVES += CVE-2021-3697
# 0013-net-ip-Do-IP-fragment-maths-safely.patch
GRUB2_IGNORE_CVES += CVE-2022-28733
# 0014-net-http-Fix-OOB-write-for-split-http-headers.patch
# 0015-net-http-Error-out-on-headers-with-LF-without-CR.patch
GRUB2_IGNORE_CVES += CVE-2022-28734
# 0017-font-Fix-several-integer-overflows-in-grub_font_cons.patch
GRUB2_IGNORE_CVES += CVE-2022-2601
# 0018-font-Fix-an-integer-underflow-in-blit_comb.patch
GRUB2_IGNORE_CVES += CVE-2022-3775
ifeq ($(BR2_TARGET_GRUB2_INSTALL_TOOLS),y)
GRUB2_INSTALL_TARGET = YES
else
GRUB2_INSTALL_TARGET = NO
endif
GRUB2_CPE_ID_VENDOR = gnu
GRUB2_BUILTIN_MODULES_PC = $(call qstrip,$(BR2_TARGET_GRUB2_BUILTIN_MODULES_PC))
GRUB2_BUILTIN_MODULES_EFI = $(call qstrip,$(BR2_TARGET_GRUB2_BUILTIN_MODULES_EFI))
GRUB2_BUILTIN_CONFIG_PC = $(call qstrip,$(BR2_TARGET_GRUB2_BUILTIN_CONFIG_PC))
GRUB2_BUILTIN_CONFIG_EFI = $(call qstrip,$(BR2_TARGET_GRUB2_BUILTIN_CONFIG_EFI))
GRUB2_BOOT_PARTITION = $(call qstrip,$(BR2_TARGET_GRUB2_BOOT_PARTITION))
GRUB2_IMAGE_i386-pc = $(BINARIES_DIR)/grub.img
GRUB2_CFG_i386-pc = $(TARGET_DIR)/boot/grub/grub.cfg
GRUB2_PREFIX_i386-pc = ($(GRUB2_BOOT_PARTITION))/boot/grub
GRUB2_TARGET_i386-pc = i386
GRUB2_PLATFORM_i386-pc = pc
GRUB2_BUILTIN_CONFIG_i386-pc = $(GRUB2_BUILTIN_CONFIG_PC)
GRUB2_BUILTIN_MODULES_i386-pc = $(GRUB2_BUILTIN_MODULES_PC)
GRUB2_TUPLES-$(BR2_TARGET_GRUB2_I386_PC) += i386-pc
GRUB2_IMAGE_i386-efi = $(BINARIES_DIR)/efi-part/EFI/BOOT/bootia32.efi
GRUB2_CFG_i386-efi = $(BINARIES_DIR)/efi-part/EFI/BOOT/grub.cfg
GRUB2_PREFIX_i386-efi = /EFI/BOOT
GRUB2_TARGET_i386-efi = i386
GRUB2_PLATFORM_i386-efi = efi
GRUB2_BUILTIN_CONFIG_i386-efi = $(GRUB2_BUILTIN_CONFIG_EFI)
GRUB2_BUILTIN_MODULES_i386-efi = $(GRUB2_BUILTIN_MODULES_EFI)
GRUB2_TUPLES-$(BR2_TARGET_GRUB2_I386_EFI) += i386-efi
GRUB2_IMAGE_x86_64-efi = $(BINARIES_DIR)/efi-part/EFI/BOOT/bootx64.efi
GRUB2_CFG_x86_64-efi = $(BINARIES_DIR)/efi-part/EFI/BOOT/grub.cfg
GRUB2_PREFIX_x86_64-efi = /EFI/BOOT
GRUB2_TARGET_x86_64-efi = x86_64
GRUB2_PLATFORM_x86_64-efi = efi
GRUB2_BUILTIN_CONFIG_x86_64-efi = $(GRUB2_BUILTIN_CONFIG_EFI)
GRUB2_BUILTIN_MODULES_x86_64-efi = $(GRUB2_BUILTIN_MODULES_EFI)
GRUB2_TUPLES-$(BR2_TARGET_GRUB2_X86_64_EFI) += x86_64-efi
GRUB2_IMAGE_arm-uboot = $(BINARIES_DIR)/boot-part/grub/grub.img
GRUB2_CFG_arm-uboot = $(BINARIES_DIR)/boot-part/grub/grub.cfg
GRUB2_PREFIX_arm-uboot = ($(GRUB2_BOOT_PARTITION))/boot/grub
GRUB2_TARGET_arm-uboot = arm
GRUB2_PLATFORM_arm-uboot = uboot
GRUB2_BUILTIN_CONFIG_arm-uboot = $(GRUB2_BUILTIN_CONFIG_PC)
GRUB2_BUILTIN_MODULES_arm-uboot = $(GRUB2_BUILTIN_MODULES_PC)
GRUB2_TUPLES-$(BR2_TARGET_GRUB2_ARM_UBOOT) += arm-uboot
GRUB2_IMAGE_arm-efi = $(BINARIES_DIR)/efi-part/EFI/BOOT/bootarm.efi
GRUB2_CFG_arm-efi = $(BINARIES_DIR)/efi-part/EFI/BOOT/grub.cfg
GRUB2_PREFIX_arm-efi = /EFI/BOOT
GRUB2_TARGET_arm-efi = arm
GRUB2_PLATFORM_arm-efi = efi
GRUB2_BUILTIN_CONFIG_arm-efi = $(GRUB2_BUILTIN_CONFIG_EFI)
GRUB2_BUILTIN_MODULES_arm-efi = $(GRUB2_BUILTIN_MODULES_EFI)
GRUB2_TUPLES-$(BR2_TARGET_GRUB2_ARM_EFI) += arm-efi
GRUB2_IMAGE_arm64-efi = $(BINARIES_DIR)/efi-part/EFI/BOOT/bootaa64.efi
GRUB2_CFG_arm64-efi = $(BINARIES_DIR)/efi-part/EFI/BOOT/grub.cfg
GRUB2_PREFIX_arm64-efi = /EFI/BOOT
GRUB2_TARGET_arm64-efi = aarch64
GRUB2_PLATFORM_arm64-efi = efi
GRUB2_BUILTIN_CONFIG_arm64-efi = $(GRUB2_BUILTIN_CONFIG_EFI)
GRUB2_BUILTIN_MODULES_arm64-efi = $(GRUB2_BUILTIN_MODULES_EFI)
GRUB2_TUPLES-$(BR2_TARGET_GRUB2_ARM64_EFI) += arm64-efi
# Grub2 is kind of special: it considers CC, LD and so on to be the
# tools to build the host programs and uses TARGET_CC, TARGET_CFLAGS,
# TARGET_CPPFLAGS, TARGET_LDFLAGS to build the bootloader itself.
#
# NOTE: TARGET_STRIP is overridden by !BR2_STRIP_strip, so always
# use the cross compile variant to ensure grub2 builds
HOST_GRUB2_CONF_ENV = \
CPP="$(HOSTCC) -E"
GRUB2_CONF_ENV = \
CPP="$(TARGET_CC) -E" \
TARGET_CC="$(TARGET_CC)" \
CFLAGS="$(TARGET_CFLAGS) -Os" \
TARGET_CFLAGS="$(TARGET_CFLAGS) -Os" \
CPPFLAGS="$(TARGET_CPPFLAGS) -Os -fno-stack-protector" \
TARGET_CPPFLAGS="$(TARGET_CPPFLAGS) -Os -fno-stack-protector" \
TARGET_LDFLAGS="$(TARGET_LDFLAGS) -Os" \
TARGET_NM="$(TARGET_NM)" \
TARGET_OBJCOPY="$(TARGET_OBJCOPY)" \
TARGET_STRIP="$(TARGET_CROSS)strip"
HOST_GRUB2_CONF_OPTS = \
--with-platform=none \
--disable-grub-mkfont \
--enable-efiemu=no \
ac_cv_lib_lzma_lzma_code=no \
--enable-device-mapper=no \
--enable-libzfs=no \
--disable-werror
define GRUB2_CONFIGURE_CMDS
$(foreach tuple, $(GRUB2_TUPLES-y), \
@$(call MESSAGE,Configuring $(tuple))
mkdir -p $(@D)/build-$(tuple)
cd $(@D)/build-$(tuple) && \
$(TARGET_CONFIGURE_OPTS) \
$(TARGET_CONFIGURE_ARGS) \
$(GRUB2_CONF_ENV) \
../configure \
--target=$(GRUB2_TARGET_$(tuple)) \
--with-platform=$(GRUB2_PLATFORM_$(tuple)) \
--host=$(GNU_TARGET_NAME) \
--build=$(GNU_HOST_NAME) \
--prefix=/ \
--exec-prefix=/ \
--disable-grub-mkfont \
--enable-efiemu=no \
ac_cv_lib_lzma_lzma_code=no \
--enable-device-mapper=no \
--enable-libzfs=no \
--disable-werror
)
endef
define GRUB2_BUILD_CMDS
$(foreach tuple, $(GRUB2_TUPLES-y), \
@$(call MESSAGE,Building $(tuple))
$(TARGET_MAKE_ENV) $(MAKE) -C $(@D)/build-$(tuple)
)
endef
define GRUB2_INSTALL_IMAGES_CMDS
$(foreach tuple, $(GRUB2_TUPLES-y), \
@$(call MESSAGE,Installing $(tuple) to images directory)
mkdir -p $(dir $(GRUB2_IMAGE_$(tuple)))
$(HOST_DIR)/bin/grub-mkimage \
-d $(@D)/build-$(tuple)/grub-core/ \
-O $(tuple) \
-o $(GRUB2_IMAGE_$(tuple)) \
-p "$(GRUB2_PREFIX_$(tuple))" \
$(if $(GRUB2_BUILTIN_CONFIG_$(tuple)), \
-c $(GRUB2_BUILTIN_CONFIG_$(tuple))) \
$(GRUB2_BUILTIN_MODULES_$(tuple))
$(INSTALL) -D -m 0644 boot/grub2/grub.cfg $(GRUB2_CFG_$(tuple))
$(if $(findstring $(GRUB2_PLATFORM_$(tuple)), pc), \
cat $(@D)/build-$(tuple)/grub-core/cdboot.img $(GRUB2_IMAGE_$(tuple)) > \
$(BINARIES_DIR)/grub-eltorito.img
) \
)
endef
ifeq ($(BR2_TARGET_GRUB2_INSTALL_TOOLS),y)
define GRUB2_INSTALL_TARGET_CMDS
$(foreach tuple, $(GRUB2_TUPLES-y), \
@$(call MESSAGE,Installing $(tuple) to target directory)
$(TARGET_MAKE_ENV) $(MAKE) -C $(@D)/build-$(tuple) DESTDIR=$(TARGET_DIR) install
)
endef
endif
$(eval $(generic-package))
$(eval $(host-autotools-package))