grub-2:2.02-3.parabola1: Allow GRUB to mount ext2/3/4 filesystems that have the encryption feature - FS#51879 -> https://bugs.archlinux.org/task/51879

author: Omar Vega Ramos <ovruni@gnu.org.pe> 2017-10-21 13:01:06 -0500
committer: Omar Vega Ramos <ovruni@gnu.org.pe> 2017-10-21 13:01:06 -0500
commit: 1b62a191217d91dc663f55d8e3304b60e15a5581 (patch)
tree: 6915752e4328315b74fca98a468070af6c79603b /libre/grub
parent: a8e6bcdea9f04db5642286e54c4cb027935b8035 (diff)
3 files changed, 178 insertions, 23 deletions
diff --git a/libre/grub/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch b/libre/grub/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch
new file mode 100644
index 000000000..22d62926f
--- /dev/null
+++ b/libre/grub/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch
@@ -0,0 +1,140 @@
+From 734668238fcc0ef691a080839e04f33854fa133a Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 29 Jun 2017 13:27:49 +0000
+Subject: Allow GRUB to mount ext2/3/4 filesystems that have the encryption
+ feature.
+
+On such a filesystem, inodes may have EXT4_ENCRYPT_FLAG set.
+For a regular file, this means its contents are encrypted; for a
+directory, this means the filenames in its directory entries are
+encrypted; and for a symlink, this means its target is encrypted.  Since
+GRUB cannot decrypt encrypted contents or filenames, just issue an error
+if it would need to do so.  This is sufficient to allow unencrypted boot
+files to co-exist with encrypted files elsewhere on the filesystem.
+
+(Note that encrypted regular files and symlinks will not normally be
+encountered outside an encrypted directory; however, it's possible via
+hard links, so they still need to be handled.)
+
+Tested by booting from an ext4 /boot partition on which I had run
+'tune2fs -O encrypt'.  I also verified that the expected error messages
+are printed when trying to access encrypted directories, files, and
+symlinks from the GRUB command line.  Also ran 'sudo ./grub-fs-tester
+ext4_encrypt'; note that this requires e2fsprogs v1.43+ and Linux v4.1+.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+---
+ grub-core/fs/ext2.c          | 23 ++++++++++++++++++++++-
+ tests/ext234_test.in         |  1 +
+ tests/util/grub-fs-tester.in | 10 ++++++++++
+ 3 files changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c
+index cdce63b..b8ad75a 100644
+--- a/grub-core/fs/ext2.c
++++ b/grub-core/fs/ext2.c
+@@ -102,6 +102,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
+ #define EXT4_FEATURE_INCOMPAT_64BIT		0x0080
+ #define EXT4_FEATURE_INCOMPAT_MMP		0x0100
+ #define EXT4_FEATURE_INCOMPAT_FLEX_BG		0x0200
++#define EXT4_FEATURE_INCOMPAT_ENCRYPT          0x10000
+ 
+ /* The set of back-incompatible features this driver DOES support. Add (OR)
+  * flags here as the related features are implemented into the driver.  */
+@@ -109,7 +110,8 @@ GRUB_MOD_LICENSE ("GPLv3+");
+                                        | EXT4_FEATURE_INCOMPAT_EXTENTS  \
+                                        | EXT4_FEATURE_INCOMPAT_FLEX_BG \
+                                        | EXT2_FEATURE_INCOMPAT_META_BG \
+-                                       | EXT4_FEATURE_INCOMPAT_64BIT)
++                                       | EXT4_FEATURE_INCOMPAT_64BIT \
++                                       | EXT4_FEATURE_INCOMPAT_ENCRYPT)
+ /* List of rationales for the ignored "incompatible" features:
+  * needs_recovery: Not really back-incompatible - was added as such to forbid
+  *                 ext2 drivers from mounting an ext3 volume with a dirty
+@@ -138,6 +140,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
+ #define EXT3_JOURNAL_FLAG_DELETED	4
+ #define EXT3_JOURNAL_FLAG_LAST_TAG	8
+ 
++#define EXT4_ENCRYPT_FLAG              0x800
+ #define EXT4_EXTENTS_FLAG		0x80000
+ 
+ /* The ext2 superblock.  */
+@@ -706,6 +709,12 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
+       grub_ext2_read_inode (diro->data, diro->ino, &diro->inode);
+       if (grub_errno)
+ 	return 0;
++
++      if (diro->inode.flags & grub_cpu_to_le32_compile_time (EXT4_ENCRYPT_FLAG))
++       {
++         grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "symlink is encrypted");
++         return 0;
++       }
+     }
+ 
+   symlink = grub_malloc (grub_le_to_cpu32 (diro->inode.size) + 1);
+@@ -749,6 +758,12 @@ grub_ext2_iterate_dir (grub_fshelp_node_t dir,
+ 	return 0;
+     }
+ 
++  if (diro->inode.flags & grub_cpu_to_le32_compile_time (EXT4_ENCRYPT_FLAG))
++    {
++      grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "directory is encrypted");
++      return 0;
++    }
++
+   /* Search the file.  */
+   while (fpos < grub_le_to_cpu32 (diro->inode.size))
+     {
+@@ -859,6 +874,12 @@ grub_ext2_open (struct grub_file *file, const char *name)
+ 	goto fail;
+     }
+ 
++  if (fdiro->inode.flags & grub_cpu_to_le32_compile_time (EXT4_ENCRYPT_FLAG))
++    {
++      err = grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "file is encrypted");
++      goto fail;
++    }
++
+   grub_memcpy (data->inode, &fdiro->inode, sizeof (struct grub_ext2_inode));
+   grub_free (fdiro);
+ 
+diff --git a/tests/ext234_test.in b/tests/ext234_test.in
+index 892b99c..4f1eb52 100644
+--- a/tests/ext234_test.in
++++ b/tests/ext234_test.in
+@@ -30,3 +30,4 @@ fi
+ "@builddir@/grub-fs-tester" ext3
+ "@builddir@/grub-fs-tester" ext4
+ "@builddir@/grub-fs-tester" ext4_metabg
++"@builddir@/grub-fs-tester" ext4_encrypt
+diff --git a/tests/util/grub-fs-tester.in b/tests/util/grub-fs-tester.in
+index 88cbe73..fd7e0f1 100644
+--- a/tests/util/grub-fs-tester.in
++++ b/tests/util/grub-fs-tester.in
+@@ -156,6 +156,12 @@ for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do
+ 		# Could go further but what's the point?
+ 	    MAXBLKSIZE=$((65536*1024))
+ 	    ;;
++       xext4_encrypt)
++           # OS LIMITATION: Linux currently only allows the 'encrypt' feature
++           # in combination with block_size = PAGE_SIZE (4096 bytes on x86).
++           MINBLKSIZE=$(getconf PAGE_SIZE)
++           MAXBLKSIZE=$MINBLKSIZE
++           ;;
+ 	xext*)
+ 	    MINBLKSIZE=1024
+ 	    if [ $MINBLKSIZE -lt $SECSIZE ]; then
+@@ -796,6 +802,10 @@ for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do
+ 		    MKE2FS_DEVICE_SECTSIZE=$SECSIZE "mkfs.ext4" -O meta_bg,^resize_inode -b $BLKSIZE -L "$FSLABEL" -q "${MOUNTDEVICE}"
+ 		    MOUNTFS=ext4
+ 		    ;;
++               xext4_encrypt)
++                   MKE2FS_DEVICE_SECTSIZE=$SECSIZE "mkfs.ext4" -O encrypt -b $BLKSIZE -L "$FSLABEL" -q "${MOUNTDEVICE}"
++                   MOUNTFS=ext4
++                   ;;
+ 		xext*)
+ 		    MKE2FS_DEVICE_SECTSIZE=$SECSIZE "mkfs.$fs" -b $BLKSIZE -L "$FSLABEL" -q "${MOUNTDEVICE}" ;;
+ 		xxfs)
+-- 
+cgit v1.0-41-gc330
+
diff --git a/libre/grub/PKGBUILD b/libre/grub/PKGBUILD
index 30aa70888..a2628e2dd 100644
--- a/libre/grub/PKGBUILD
+++ b/libre/grub/PKGBUILD
@@ -2,8 +2,9 @@
 # Maintainer (Arch): Ronald van Haren <ronald.archlinux.org>
 # Contributor (Arch): Tobias Powalowski <tpowa@archlinux.org>
 # Contributor (Arch): Keshav Amburay <(the ddoott ridikulus ddoott rat) (aatt) (gemmaeiil) (ddoott) (ccoomm)>
-# Maintainer: André Silva <emulatorman@hyperbola.info>
-# Maintainer: Márcio Silva <coadde@hyperbola.info>
+# Maintainer (Hyperbola): André Silva <emulatorman@hyperbola.info>
+# Maintainer (Hyperbola): Márcio Silva <coadde@hyperbola.info>
+# Maintainer: Omar Vega Ramos <ovruni@gnu.org.pe>
 
 ## '1' to enable Xen support, '0' to disable
 _XEN='1'
@@ -19,7 +20,7 @@ _GRUB_EMU_BUILD='0'
 
 _GRUB_EXTRAS_COMMIT=f2a079441939eee7251bf141986cdd78946e1d20
 
-_UNIFONT_VER='9.0.06'
+_UNIFONT_VER='10.0.06'
 
 [[ "${CARCH}" = 'armv7h' ]] && _EFI_ARCH='arm'
 [[ "${CARCH}" = 'x86_64' ]] && _EFI_ARCH='x86_64'
@@ -38,7 +39,7 @@ pkgname=('grub')
                                    'grub-omap3_beagle_xm' 'grub-omap3_beagle_xm_ab')
 pkgdesc='GNU GRand Unified Bootloader (2), (Parabola rebranded)'
 pkgver='2.02'
-pkgrel='1.parabola1.2'
+pkgrel='3.parabola1'
 epoch='2'
 url='https://www.gnu.org/software/grub/'
 arch=('x86_64' 'i686' 'armv7h')
@@ -72,11 +73,12 @@ elif [[ "${CARCH}" = 'armv7h' ]]; then
 	replaces=('grub-common' 'grub-emu' "grub-efi-${_EFI_ARCH}")
 fi
 
-source=("http://ftp.gnu.org/gnu/${pkgname}/${pkgname}-${pkgver}.tar.xz"{,.sig}
-        "grub-extras::git+git://git.sv.gnu.org/grub-extras.git#commit=${_GRUB_EXTRAS_COMMIT}"
+source=("https://ftp.gnu.org/gnu/${pkgname}/${pkgname}-${pkgver}.tar.xz"{,.sig}
+        "https://git.savannah.nongnu.org/cgit/grub-extras.git/snapshot/grub-extras-${_GRUB_EXTRAS_COMMIT}.tar.gz"
         "https://ftp.gnu.org/gnu/unifont/unifont-${_UNIFONT_VER}/unifont-${_UNIFONT_VER}.bdf.gz"{,.sig}
         '0003-10_linux-20_linux_xen-detect-parabola-initramfs.patch'
         '0004-add-GRUB_COLOR_variables.patch'
+        '0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch'
         'grub.default'
         '0003-10_linux-20_linux_xen-detect-am335x_bone+am335x_boneblack-devicetree-file.patch'
         '0003-10_linux-20_linux_xen-detect-omap3_beagle-devicetree-file.patch'
@@ -85,20 +87,21 @@ source=("http://ftp.gnu.org/gnu/${pkgname}/${pkgname}-${pkgver}.tar.xz"{,.sig}
         '0003-10_linux-20_linux_xen-detect-udoo-devicetree-file.patch'
         '0003-10_linux-20_linux_xen-rebrand-free-distros.patch')
 
-sha512sums=('cc6eb0a42b5c8df2f671cc128ff725afb3ff1f8832a196022e433cf0d3b75decfca2316d0aa5fabea75747d55e88f3d021dd93508563f8ca80fd7b9e7fe1f088'
+sha256sums=('810b3798d316394f94096ec2797909dbf23c858e48f7b3830826b8daa06b7b0f'
             'SKIP'
+            '2844601914cea6b1231eca0104853a93c4d67a5209933a0766f1475953300646'
+            '0d81571fc519573057b7641d26a31ead55cc0b02a931589fb346a3a534c3dcc1'
             'SKIP'
-            'dac2becc7fa76847231ce30a4b9e22fc9d45fb50846fc7f25611c5c2cbedc31e7745d9295bab3eb7a01efad4f1f2f1161c98efa60048e756421075220817f4b8'
-            'SKIP'
-            '3529ab4d08a4165e081c49dfc1cf40079ad9a1b9dd7ab6d39147fc347cb6aa615fd90292ecd5ecbfb543bf444bef27043a2392029d0210f9b4a6369365d3da1b'
-            '0ae2f50a397268ea0ff46faa180e699ba956acaa68504d9dde7c33ab194430df57c2e2e5f9fe30b6c31e7806666faad4b274747ba151035e338bcaab3d875c3e'
-            '96e49cf3d783f5c8caffd60ea6e72112a12854519dc89a18938f372f7413b3fe99339ed8ad9d660ba457e67436cf7c444dc852455b90efa5546729180b88c3a8'
-            '04262a4a95fa58967e147e39ea71b08cc99aa32a1f0357c46292743f3ea8c05a6ff6fcfc3516a9b61a2a3050781017ed2cabf53fc327b39f7e957d0ddf778165'
-            'a406ec5a83d1c03dadc1444d91f1b5e682bc74562dcf6e455009d043015dc2316509517f61c76e2ffec4dce5d03702ae47f2dd9b25671a4d7889e2744b090631'
-            '46fb2eeb2856bbdda8e115fc9beb61744e3a0bc9a178ec5d01c36a429691ca2362925382eca3144f2ee2438e69e508043d8f2445a6bef79e63e455fb08293426'
-            '55fb8ea488bb0936a4830eab943cdde986f351796cea259403fa947605c9d39526e0aec987da118cc6cf4c3bbe2a56326a218fbb0709ee7717a62a36a3d31697'
-            '378635a2a8a685f4efd300f19d7f2192dc664fd16811953520e0d49d90a5af377fa0dc45e0d2abc0d9f6750cd4cf885d6ef54445f7e8d3ed0025f2d087351bfc'
-            'eced721bab4256b9afb322cda7b599ac1cae9dfe2effd1d86569bd3bef056cab80783da25181e627abc2422f4048200ae8b46c7dfe5df4441a55ae00434cd172')
+            '3f68a78ecba0284b9d39af60431236cb2ebc8547d3dc1fb26a1ac7a6b9afbbc7'
+            'a5198267ceb04dceb6d2ea7800281a42b3f91fd02da55d2cc9ea20d47273ca29'
+            '535422c510a050d41efe7720dbe54de29e04bdb8f86fd5aea5feb0b24f7abe46'
+            '959f3d8d65d9504df798924554c3de0e92dfcd39e087b099a5f5e0a9b7885102'
+            '9ece1db537a989ce4dc55ece471883e19b8ab16902f8c4feb68436c3b5700f71'
+            'de71452b9b0fbfb08ea742e9fa217ab34fddf6312452f155fb9d82ebf1c024a5'
+            '222da944b4af43a1d86be0e3d91f2e1a82324fa51c7ad36cc25246ffa3739ab1'
+            '9002c69e74143553ef8cdd32ca04e8bdcb7a1a0ba1c4564163bae061fe68d855'
+            '6584a0dda9dbf6d70dbdfba619abbb628b1a092bd61d6d05e462d6771354223b'
+            '7374137d183957ec8834ce749163c9fa98ff8ee61bbb74b0b38e29daf93857a4')
 
 validpgpkeys=('E53D497F3FA42AD8C9B4D1E835A93B74E82E4209'  # Vladimir 'phcoder' Serbinenko <phcoder@gmail.com>
               '95D2E9AB8740D8046387FD151A09227B1F435A33') #Paul Hardy
@@ -113,6 +116,9 @@ prepare() {
 	## Based on http://lists.gnu.org/archive/html/grub-devel/2012-02/msg00021.html
 	patch -Np1 -i "${srcdir}/0004-add-GRUB_COLOR_variables.patch"
 
+	msg "Patch to allow GRUB to mount ext2/3/4 filesystems that have the encryption feature"
+	patch -Np1 -i "${srcdir}/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch"
+
 	msg 'Fix DejaVuSans.ttf location so that grub-mkfont can create *.pf2 files for starfield theme'
 	sed 's|/usr/share/fonts/dejavu|/usr/share/fonts/dejavu /usr/share/fonts/TTF|g' -i "configure.ac"
 
@@ -128,12 +134,14 @@ prepare() {
 	msg 'Remove not working langs which need LC_ALL=C.UTF-8'
 	sed -e 's#en@cyrillic en@greek##g' -i "po/LINGUAS"
 
-	msg 'Avoid problem with unifont during compile of grub, http://savannah.gnu.org/bugs/?40330 and https://bugs.archlinux.org/task/37847'
+	msg "Avoid problem with unifont during compile of grub"
+        # http://savannah.gnu.org/bugs/?40330 and https://bugs.archlinux.org/task/37847
 	cp "${srcdir}/unifont-${_UNIFONT_VER}.bdf" "unifont.bdf"
 
 	msg "Add the grub-extra sources for BIOS build"
 	install -d "grub-extras"
-	cp -r "${srcdir}/grub-extras/915resolution" "grub-extras/915resolution"
+	cp -r "${srcdir}/grub-extras-${_GRUB_EXTRAS_COMMIT}/915resolution" \
+		"grub-extras/915resolution"
 	export GRUB_CONTRIB="${srcdir}/grub-${pkgver}/grub-extras/"
 }
 
diff --git a/libre/grub/grub.default b/libre/grub/grub.default
index 56585a47d..af9d70ca9 100644
--- a/libre/grub/grub.default
+++ b/libre/grub/grub.default
@@ -1,3 +1,5 @@
+# GRUB boot loader configuration
+
 GRUB_DEFAULT=0
 GRUB_TIMEOUT=5
 GRUB_DISTRIBUTOR="Parabola"
@@ -7,6 +9,9 @@ GRUB_CMDLINE_LINUX=""
 # Preload both GPT and MBR modules so that they are not missed
 GRUB_PRELOAD_MODULES="part_gpt part_msdos"
 
+# Uncomment to enable booting from LUKS encrypted devices
+#GRUB_ENABLE_CRYPTODISK=y
+
 # Uncomment to enable Hidden Menu, and optionally hide the timeout count
 #GRUB_HIDDEN_TIMEOUT=5
 #GRUB_HIDDEN_TIMEOUT_QUIET=true
@@ -25,14 +30,14 @@ GRUB_GFXMODE=auto
 # Uncomment to allow the kernel use the same resolution used by grub
 GRUB_GFXPAYLOAD_LINUX=keep
 
-# Uncomment if you want GRUB to pass to the Linux kernel the old parameter 
-# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx" 
+# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
+# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
 #GRUB_DISABLE_LINUX_UUID=true
 
 # Uncomment to disable generation of recovery mode menu entries
 GRUB_DISABLE_RECOVERY=true
 
-# Uncomment and set to the desired menu colors.  Used by normal and wallpaper 
+# Uncomment and set to the desired menu colors.  Used by normal and wallpaper
 # modes only.  Entries specified as foreground/background.
 GRUB_COLOR_NORMAL="magenta/black"
 GRUB_COLOR_HIGHLIGHT="white/magenta"
@@ -44,6 +49,8 @@ GRUB_COLOR_HIGHLIGHT="white/magenta"
 # Uncomment to get a beep at GRUB start
 #GRUB_INIT_TUNE="480 440 1"
 
+# Uncomment to make GRUB remember the last selection. This requires to
+# set 'GRUB_DEFAULT=saved' above.
 #GRUB_SAVEDEFAULT="true"
 
 # Disable advanced submenu
author	Omar Vega Ramos <ovruni@gnu.org.pe>	2017-10-21 13:01:06 -0500
committer	Omar Vega Ramos <ovruni@gnu.org.pe>	2017-10-21 13:01:06 -0500
commit	1b62a191217d91dc663f55d8e3304b60e15a5581 (patch)
tree	6915752e4328315b74fca98a468070af6c79603b /libre/grub
parent	a8e6bcdea9f04db5642286e54c4cb027935b8035 (diff)