kumquat-buildroot/boot/grub2
Thomas Petazzoni 65c99394ff boot/grub2: backport fixes for numerous CVEs
Grub 2.06 is affected by a number of CVEs, which have been fixed in
the master branch of Grub, but are not yet part of any release (there
is a 2.12-rc1 release, but nothing else between 2.06 and 2.12-rc1).

So this patch backports the relevant fixes for CVE-2022-28736,
CVE-2022-28735, CVE-2021-3695, CVE-2021-3696, CVE-2021-3697,
CVE-2022-28733, CVE-2022-28734, CVE-2022-2601 and CVE-2022-3775.

It should be noted that CVE-2021-3695, CVE-2021-3696, CVE-2021-3697
are not reported as affecting Grub by our CVE matching logic because
the NVD database uses an incorrect CPE ID in those CVEs: it uses
"grub" as the product instead of "grub2" like all other CVEs for
grub. This issue has been reported to the NVD maintainers.

This requires backporting a lot of patches, but jumping from 2.06 to
2.12-rc1 implies getting 592 commits, which is quite a lot.

All Grub test cases are working fine:

  https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500585
  https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500679

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Arnout: fix check-package warning in patch 0002]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-08-30 21:54:23 +02:00
..
0001-Makefile-Make-grub_fstest.pp-depend-on-config-util.h.patch
0002-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch boot/grub2: backport fixes for numerous CVEs 2023-08-30 21:54:23 +02:00
0003-loader-efi-chainloader-Simplify-the-loader-state.patch boot/grub2: backport fixes for numerous CVEs 2023-08-30 21:54:23 +02:00
0004-commands-boot-Add-API-to-pass-context-to-loader.patch boot/grub2: backport fixes for numerous CVEs 2023-08-30 21:54:23 +02:00
0005-loader-efi-chainloader-Use-grub_loader_set_ex.patch boot/grub2: backport fixes for numerous CVEs 2023-08-30 21:54:23 +02:00
0006-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch boot/grub2: backport fixes for numerous CVEs 2023-08-30 21:54:23 +02:00
0007-video-Remove-trailing-whitespaces.patch boot/grub2: backport fixes for numerous CVEs 2023-08-30 21:54:23 +02:00
0008-video-readers-png-Abort-sooner-if-a-read-operation-f.patch boot/grub2: backport fixes for numerous CVEs 2023-08-30 21:54:23 +02:00
0009-video-readers-png-Refuse-to-handle-multiple-image-he.patch boot/grub2: backport fixes for numerous CVEs 2023-08-30 21:54:23 +02:00
0010-video-readers-png-Drop-greyscale-support-to-fix-heap.patch boot/grub2: backport fixes for numerous CVEs 2023-08-30 21:54:23 +02:00
0011-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch boot/grub2: backport fixes for numerous CVEs 2023-08-30 21:54:23 +02:00
0012-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch boot/grub2: backport fixes for numerous CVEs 2023-08-30 21:54:23 +02:00
0013-net-ip-Do-IP-fragment-maths-safely.patch boot/grub2: backport fixes for numerous CVEs 2023-08-30 21:54:23 +02:00
0014-net-http-Fix-OOB-write-for-split-http-headers.patch boot/grub2: backport fixes for numerous CVEs 2023-08-30 21:54:23 +02:00
0015-net-http-Error-out-on-headers-with-LF-without-CR.patch boot/grub2: backport fixes for numerous CVEs 2023-08-30 21:54:23 +02:00
0016-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch boot/grub2: backport fixes for numerous CVEs 2023-08-30 21:54:23 +02:00
0017-font-Fix-several-integer-overflows-in-grub_font_cons.patch boot/grub2: backport fixes for numerous CVEs 2023-08-30 21:54:23 +02:00
0018-font-Fix-an-integer-underflow-in-blit_comb.patch boot/grub2: backport fixes for numerous CVEs 2023-08-30 21:54:23 +02:00
Config.in
grub2.hash
grub2.mk boot/grub2: backport fixes for numerous CVEs 2023-08-30 21:54:23 +02:00
grub.cfg
readme.txt

Notes on using Grub2 for BIOS-based platforms
=============================================

1. Create a disk image
   dd if=/dev/zero of=disk.img bs=1M count=32
2. Partition it (either legacy or GPT style partitions work)
   cfdisk disk.img
    - Create one partition, type Linux, for the root
      filesystem. The only constraint is to make sure there
      is enough free space *before* the first partition to
      store Grub2. Leaving 1 MB of free space is safe.
3. Setup loop device and loop partitions
   sudo losetup -f disk.img
   sudo partx -a /dev/loop0
4. Prepare the root partition
   sudo mkfs.ext3 -L root /dev/loop0p1
   sudo mount /dev/loop0p1 /mnt
   sudo tar -C /mnt -xf output/images/rootfs.tar
   sudo umount /mnt
5. Install Grub2
   sudo ./output/host/sbin/grub-bios-setup \
        -b ./output/host/lib/grub/i386-pc/boot.img \
        -c ./output/images/grub.img -d . /dev/loop0
6. Cleanup loop device
   sudo partx -d /dev/loop0
   sudo losetup -d /dev/loop0
7. Your disk.img is ready!

Using genimage
--------------

If you use genimage to generate your complete image,
installing Grub can be tricky. Here is how to achieve Grub's
installation with genimage:

partition boot {
    in-partition-table = "no"
    image = "path_to_boot.img"
    offset = 0
    size = 512
}
partition grub {
    in-partition-table = "no"
    image = "path_to_grub.img"
    offset = 512
}

The result is not byte to byte identical to what
grub-bios-setup does but it works anyway.

To test your BIOS image in Qemu
-------------------------------

qemu-system-{i386,x86-64} -hda disk.img

Notes on using Grub2 for x86/x86_64 EFI-based platforms
=======================================================

1. Create a disk image
   dd if=/dev/zero of=disk.img bs=1M count=32
2. Partition it with GPT partitions
   cgdisk disk.img
    - Create a first partition, type EF00, for the
      bootloader and kernel image
    - Create a second partition, type 8300, for the root
      filesystem.
3. Setup loop device and loop partitions
   sudo losetup -f disk.img
   sudo partx -a /dev/loop0
4. Prepare the boot partition
   sudo mkfs.vfat -n boot /dev/loop0p1
   sudo mount /dev/loop0p1 /mnt
   sudo cp -a output/images/efi-part/* /mnt/
   sudo cp output/images/bzImage /mnt/
   sudo umount /mnt
5. Prepare the root partition
   sudo mkfs.ext3 -L root /dev/loop0p2
   sudo mount /dev/loop0p2 /mnt
   sudo tar -C /mnt -xf output/images/rootfs.tar
   sudo umount /mnt
6  Cleanup loop device
   sudo partx -d /dev/loop0
   sudo losetup -d /dev/loop0
7. Your disk.img is ready!

To test your i386/x86-64 EFI image in Qemu
------------------------------------------

1. Download/install the EFI BIOS for Qemu
   You can get it using the edk2 package in Buildroot (installed
   in BINARIES_DIR), grab prebuilt images from the unofficial nightly
   builds [0], or use one provided by your distribution as OVMF.

   [0] https://github.com/retrage/edk2-nightly

2. qemu-system-{i386,x86-64} -bios <path-to-OVMF.fd> -hda disk.img

Notes on using Grub2 for ARM u-boot-based platforms
===================================================

The following steps show how to use the Grub2 arm-uboot platform
support in the simplest way possible and with a single
buildroot-generated filesystem.

 1. Load qemu_arm_vexpress_defconfig

 2. Enable u-boot with the vexpress_ca9x4 board name and with
    u-boot.elf image format.

 3. Enable grub2 for the arm-uboot platform.

 4. Enable "Install kernel image to /boot in target" in the kernel
    menu to populate a /boot directory with zImage in it.

 5. The upstream u-boot vexpress_ca9x4 doesn't have CONFIG_API enabled
    by default, which is required.

    Before building, patch u-boot (for example, make u-boot-extract to
    edit the source before building) file
    include/configs/vexpress_common.h to define:

    #define CONFIG_API
    #define CONFIG_SYS_MMC_MAX_DEVICE   1

 6. Create a custom grub2 config file with the following contents and
    set its path in BR2_TARGET_GRUB2_CFG:

    set default="0"
    set timeout="5"

    menuentry "Buildroot" {
        set root='(hd0)'
        linux /boot/zImage root=/dev/mmcblk0 console=ttyAMA0
        devicetree /boot/vexpress-v2p-ca9.dtb
    }

 7. Create a custom builtin config file with the following contents
    and set its path in BR2_TARGET_GRUB2_BUILTIN_CONFIG:

    set root=(hd0)
    set prefix=/boot/grub

 8. Create a custom post-build script which copies files from
    ${BINARIES_DIR}/boot-part to $(TARGET_DIR)/boot (set its path in
    BR2_ROOTFS_POST_BUILD_SCRIPT):

    #!/bin/sh
    cp -r ${BINARIES_DIR}/boot-part/* ${TARGET_DIR}/boot/

 9. make

10. Run qemu with:

    qemu-system-arm -M vexpress-a9 -kernel output/images/u-boot -m 1024 \
    -nographic -sd output/images/rootfs.ext2

11. In u-boot, stop at the prompt and run grub2 with:

  => ext2load mmc 0:0 ${loadaddr} /boot/grub/grub.img
  => bootm

12. This should bring the grub2 menu, upon which selecting the "Buildroot"
    entry should boot Linux.


Notes on using Grub2 for Aarch64 EFI-based platforms
====================================================

The following steps show how to use the Grub2 arm64-efi platform,
using qemu and EFI firmware built for qemu.

 1. Load aarch64_efi_defconfig

 2. make

 3. Download the EFI firmware for qemu aarch64

    You can get it using the edk2 package in Buildroot (installed
    in BINARIES_DIR), grab prebuilt images from the unofficial nightly
    builds [1], or use one provided by your distribution as OVMF-aarch64
    or AAVMF.

    [1] https://github.com/retrage/edk2-nightly

 4. Run qemu with:

    qemu-system-aarch64 -M virt -cpu cortex-a57 -m 512 -nographic \
    -bios <path/to/EDK2>/QEMU_EFI.fd -hda output/images/disk.img \
    -netdev user,id=eth0 -device virtio-net-device,netdev=eth0

 5. This should bring the grub2 menu, upon which selecting the
    "Buildroot" entry should boot Linux.