[ubuntu-hardened] Fwd: Confused on GRUB2 version for 20.04.2 LTS

Mon Jun 21 15:10:29 UTC 2021

Well, I'm just wondering where 2.04-1ubuntu26.11 (now
2.04-1ubuntu26.12) is coming from and if it has the required fixes?
We use Ubuntu's GRUB2 as the base (with additional patchs) for our
boot disk and UEFI booting and I already released based on 26.11 with
the new shim and .SBAT.   BTW, objcopy corrupts the binaries so I had
to write my old PE modifier (not sure what you're using for final
builds on your end).   Is that version up to date as it seems to have
been based on the release date?

I'm not totally up on all things linux.  I just have to maintain the
boot disk with kernel updates and other things.  The builds are
scripted and do things like apt-get grub2 to start the process before
calling your build routine.

By the way, here are my GRUB2 patches (based on 2.02 but still applies
in 2.04) in case you want to implement them.  The small ones are to
fix the error message when issues arise otherwise the error code gets
modified before the condition of which message to show gets printed.

--- grub2-2.02-org/grub-core/disk/efi/efidisk.c 2017-04-24
05:16:00.000000000 -0400
+++ grub2-2.02/grub-core/disk/efi/efidisk.c 2018-09-18 18:52:05.380679173 -0400
@@ -27,6 +27,9 @@
#include <grub/efi/efi.h>
#include <grub/efi/disk.h>

+/* break up io to prevent problems under some UEFI environments */
+#define EFIDISK_C_MAXIOSECS 0x100U
+
struct grub_efidisk_data
{
grub_efi_handle_t handle;
@@ -583,21 +586,34 @@
grub_size_t size, char *buf)
{
grub_efi_status_t status;
-
- grub_dprintf ("efidisk",
- "reading 0x%lx sectors at the sector 0x%llx from %s\n",
- (unsigned long) size, (unsigned long long) sector, disk->name);
-
- status = grub_efidisk_readwrite (disk, sector, size, buf, 0);
-
- if (status == GRUB_EFI_NO_MEDIA)
- return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("no media in `%s'"), disk->name);
- else if (status != GRUB_EFI_SUCCESS)
- return grub_error (GRUB_ERR_READ_ERROR,
- N_("failure reading sector 0x%llx from `%s'"),
- (unsigned long long) sector,
- disk->name);
-
+ grub_size_t sector_count;
+
+ /* break up reads to EFIDISK_C_MAXIOSECS size chunks */
+ do {
+ /* determine number of sectors this cycle */
+ sector_count=(size>EFIDISK_C_MAXIOSECS) ? EFIDISK_C_MAXIOSECS : size;
+
+ /* output debug information */
+ grub_dprintf ("efidisk",
+ "reading 0x%lx sectors at the sector 0x%llx from %s\n",
+ (unsigned long) sector_count, (unsigned long long) sector, disk->name);
+
+ status = grub_efidisk_readwrite (disk, sector, sector_count, buf, 0);
+
+ if (status == GRUB_EFI_NO_MEDIA)
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("no media in `%s'"), disk->name);
+ if (status != GRUB_EFI_SUCCESS)
+ return grub_error (GRUB_ERR_READ_ERROR,
+ N_("failure reading 0x%lx sector(s) from sector 0x%llx on `%s'"),
+ (unsigned long) sector_count,
+ (unsigned long long) sector,
+ disk->name);
+
+ /* next cycle */
+ buf+=(grub_efi_uintn_t) sector_count << disk->log_sector_size;;
+ sector+=sector_count;
+ size-=sector_count;
+ } while (size);
return GRUB_ERR_NONE;
}

diff -ur grub2-2.02-org/grub-core/kern/err.c grub2-2.02/grub-core/kern/err.c
--- grub2-2.02-org/grub-core/kern/err.c 2015-05-21 11:50:29.000000000 -0400
+++ grub2-2.02/grub-core/kern/err.c 2018-09-18 18:52:05.384679170 -0400
@@ -38,12 +38,12 @@
{
va_list ap;

- grub_errno = n;
-
va_start (ap, fmt);
grub_vsnprintf (grub_errmsg, sizeof (grub_errmsg), _(fmt), ap);
va_end (ap);

+ grub_errno = n;
+
return n;
}

diff -ur grub2-2.02-org/grub-core/kern/misc.c grub2-2.02/grub-core/kern/misc.c
--- grub2-2.02-org/grub-core/kern/misc.c 2018-09-18 15:45:06.000000000 -0400
+++ grub2-2.02/grub-core/kern/misc.c 2018-09-18 18:52:05.384679170 -0400
@@ -164,10 +164,13 @@
{
va_list args;
const char *debug = grub_env_get ("debug");
+ grub_err_t save_grub_errno;

if (! debug)
return;

+ save_grub_errno=grub_errno;
+
if (grub_strword (debug, "all") || grub_strword (debug, condition))
{
grub_printf ("%s:%d: ", file, line);
@@ -176,6 +179,8 @@
va_end (args);
grub_refresh ();
}
+
+ grub_errno=save_grub_errno;
}

#define PREALLOC_SIZE 255
@@ -187,7 +192,9 @@
static char buf[PREALLOC_SIZE + 1];
char *curbuf = buf;
struct printf_args args;
-
+
+ grub_err_t save_grub_errno=grub_errno;
+
parse_printf_args (fmt, &args, ap);

s = grub_vsnprintf_real (buf, PREALLOC_SIZE, fmt, &args);
@@ -196,7 +203,6 @@
curbuf = grub_malloc (s + 1);
if (!curbuf)
{
- grub_errno = GRUB_ERR_NONE;
buf[PREALLOC_SIZE - 3] = '.';
buf[PREALLOC_SIZE - 2] = '.';
buf[PREALLOC_SIZE - 1] = '.';
@@ -214,6 +220,8 @@
if (curbuf != buf)
grub_free (curbuf);

+ grub_errno=save_grub_errno;
+
return s;
}

@@ -633,6 +641,7 @@
const char *fmt;
char c;
grub_size_t n = 0;
+ grub_err_t save_grub_errno=grub_errno;

args->count = 0;

@@ -696,7 +705,6 @@
args->ptr = grub_malloc (args->count * sizeof (args->ptr[0]));
if (!args->ptr)
{
- grub_errno = GRUB_ERR_NONE;
args->ptr = args->prealloc;
args->count = ARRAY_SIZE (args->prealloc);
}
@@ -805,6 +813,8 @@
args->ptr[n].ll = va_arg (args_in, long long);
break;
}
+
+ grub_errno=save_grub_errno;
}

static inline void __attribute__ ((always_inline))
diff -ur grub2-2.02-org/grub-core/loader/i386/efi/linux.c
grub2-2.02/grub-core/loader/i386/efi/linux.c
--- grub2-2.02-org/grub-core/loader/i386/efi/linux.c 2018-09-18
15:45:06.000000000 -0400
+++ grub2-2.02/grub-core/loader/i386/efi/linux.c 2018-09-18
18:58:42.581278048 -0400
@@ -265,12 +265,12 @@
goto fail;
}

#if defined(__x86_64__) || defined(__aarch64__)
grub_dprintf ("linuxefi", "checking lh->xloadflags\n");
- if (!(lh->xloadflags & LINUX_XLF_KERNEL_64))
+ if (! (lh->xloadflags & grub_cpu_to_le16(LINUX_XLF_EFI_HANDOVER_64)))
{
- grub_error (GRUB_ERR_BAD_OS, N_("kernel doesn't support 64-bit CPUs"));
- goto fail;
+ grub_error (GRUB_ERR_BAD_OS, N_("kernel doesn't support 64-bit EFI
handover"));
+ goto fail;
}
#endif

diff -ur grub2-2.02-org/include/grub/i386/linux.h
grub2-2.02/include/grub/i386/linux.h
--- grub2-2.02-org/include/grub/i386/linux.h 2018-09-18 15:45:06.000000000 -0400
+++ grub2-2.02/include/grub/i386/linux.h 2018-09-18 18:52:05.388679169 -0400
@@ -130,12 +130,12 @@
grub_uint32_t kernel_alignment;
grub_uint8_t relocatable;
grub_uint8_t min_alignment;
-#define LINUX_XLF_KERNEL_64 (1<<0)
-#define LINUX_XLF_CAN_BE_LOADED_ABOVE_4G (1<<1)
-#define LINUX_XLF_EFI_HANDOVER_32 (1<<2)
-#define LINUX_XLF_EFI_HANDOVER_64 (1<<3)
-#define LINUX_XLF_EFI_KEXEC (1<<4)
- grub_uint16_t xloadflags;
+#define LINUX_XLF_KERNEL_64 (1<<0) /* this kernel has the legacy
64-bit entry point at 0x200. */
+#define LINUX_XLF_CAN_BE_LOADED_ABOVE_4G (1<<1) /*
kernel/boot_params/cmdline/ramdisk can be above 4G. */
+#define LINUX_XLF_EFI_HANDOVER_32 (1<<2) /* kernel supports 32-bit
EFI handoff entry point at handover_offset. */
+#define LINUX_XLF_EFI_HANDOVER_64 (1<<3) /* kernel supports 64-bit
EFI handoff entry point at handover_offset + 0x200. */
+#define LINUX_XLF_EFI_KEXEC (1<<4) /* kernel supports kexec EFI boot
with EFI runtime support. */
+ grub_uint16_t xloadflags; /* 2.12+ */
grub_uint32_t cmdline_size;
grub_uint32_t hardware_subarch;
grub_uint64_t hardware_subarch_data;
diff -ur grub2-2.02-org/grub-core/disk/efi/efidisk.c
grub2-2.02/grub-core/disk/efi/efidisk.c

On Sun, Jun 20, 2021 at 6:19 PM Alex Murray <alex.murray at canonical.com> wrote:
>
> Hi David
>
> This looks to be confusion between how grub2 is now packaged in Ubuntu -
> since the switch to "One Grub"[1] the actual fixed version of grub2 for
> EFI related issues comes from the grub2-signed package - this inturn is
> built from the grub2-unsigned package and so these are the ones which
> are critical to look at in terms of version numbers for UEFI security
> issues. Also whilst these fixes have been available in the -updates
> pocket for some time, they have only recently been published to the
> -security pocket, which is the one we reference when publishing security
> notices etc.
>
> As such, for 20.04 LTS, grub2-unsigned version 2.04-1ubuntu44.2
> is the first one that got published to -security and hence the one we
> quote on this page. This includes the BootHole fixes plus a few other
> changes which were needed to ensure it was all packaged correctly since
> then (as the actual fixes landed in grub2-unsigned 2.04-1ubuntu42 but
> this was only ever published to -updates, not -security).
>
> Hopefully this clears things up.
>
> Thanks,
> Alex
>
>
> On Sun, 2021-06-20 at 09:20:33 +0930, David F. wrote:
>
> > In case this didn't make it because it had a link.  Here's the message
> > again without the link:
> >
> > When I read  (link removed but search GRUB2SecureBootBypass2021)
> > it says 20.04 LTS should have a 1ubuntu44.2 but it's not it's a
> > 1ubuntu26.12 (was 1ubuntu26.11 last month).  It appears security
> > patches are applied to the build 1ubuntu26.11 (I built prior to .12).
> >  Based on the date it seems 1ubuntu26.11 should have updates through
> > Feb 24, 2021?   I know the boothole patch is applied. From description
> > of 1ubuntu26.12 it seems like it updated the version but no new
> > patches were applied?
> >
> > Can someone help clear up what is what?
> >
> > Thanks.
>

