From 1b62a191217d91dc663f55d8e3304b60e15a5581 Mon Sep 17 00:00:00 2001 From: Omar Vega Ramos Date: Sat, 21 Oct 2017 13:01:06 -0500 Subject: grub-2:2.02-3.parabola1: Allow GRUB to mount ext2/3/4 filesystems that have the encryption feature - FS#51879 -> https://bugs.archlinux.org/task/51879 --- ...esystems_that_have_the_encryption_feature.patch | 140 +++++++++++++++++++++ libre/grub/PKGBUILD | 48 ++++--- libre/grub/grub.default | 13 +- 3 files changed, 178 insertions(+), 23 deletions(-) create mode 100644 libre/grub/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch (limited to 'libre/grub') diff --git a/libre/grub/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch b/libre/grub/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch new file mode 100644 index 000000000..22d62926f --- /dev/null +++ b/libre/grub/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch @@ -0,0 +1,140 @@ +From 734668238fcc0ef691a080839e04f33854fa133a Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 29 Jun 2017 13:27:49 +0000 +Subject: Allow GRUB to mount ext2/3/4 filesystems that have the encryption + feature. + +On such a filesystem, inodes may have EXT4_ENCRYPT_FLAG set. +For a regular file, this means its contents are encrypted; for a +directory, this means the filenames in its directory entries are +encrypted; and for a symlink, this means its target is encrypted. Since +GRUB cannot decrypt encrypted contents or filenames, just issue an error +if it would need to do so. This is sufficient to allow unencrypted boot +files to co-exist with encrypted files elsewhere on the filesystem. + +(Note that encrypted regular files and symlinks will not normally be +encountered outside an encrypted directory; however, it's possible via +hard links, so they still need to be handled.) + +Tested by booting from an ext4 /boot partition on which I had run +'tune2fs -O encrypt'. I also verified that the expected error messages +are printed when trying to access encrypted directories, files, and +symlinks from the GRUB command line. Also ran 'sudo ./grub-fs-tester +ext4_encrypt'; note that this requires e2fsprogs v1.43+ and Linux v4.1+. + +Signed-off-by: Eric Biggers +--- + grub-core/fs/ext2.c | 23 ++++++++++++++++++++++- + tests/ext234_test.in | 1 + + tests/util/grub-fs-tester.in | 10 ++++++++++ + 3 files changed, 33 insertions(+), 1 deletion(-) + +diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c +index cdce63b..b8ad75a 100644 +--- a/grub-core/fs/ext2.c ++++ b/grub-core/fs/ext2.c +@@ -102,6 +102,7 @@ GRUB_MOD_LICENSE ("GPLv3+"); + #define EXT4_FEATURE_INCOMPAT_64BIT 0x0080 + #define EXT4_FEATURE_INCOMPAT_MMP 0x0100 + #define EXT4_FEATURE_INCOMPAT_FLEX_BG 0x0200 ++#define EXT4_FEATURE_INCOMPAT_ENCRYPT 0x10000 + + /* The set of back-incompatible features this driver DOES support. Add (OR) + * flags here as the related features are implemented into the driver. */ +@@ -109,7 +110,8 @@ GRUB_MOD_LICENSE ("GPLv3+"); + | EXT4_FEATURE_INCOMPAT_EXTENTS \ + | EXT4_FEATURE_INCOMPAT_FLEX_BG \ + | EXT2_FEATURE_INCOMPAT_META_BG \ +- | EXT4_FEATURE_INCOMPAT_64BIT) ++ | EXT4_FEATURE_INCOMPAT_64BIT \ ++ | EXT4_FEATURE_INCOMPAT_ENCRYPT) + /* List of rationales for the ignored "incompatible" features: + * needs_recovery: Not really back-incompatible - was added as such to forbid + * ext2 drivers from mounting an ext3 volume with a dirty +@@ -138,6 +140,7 @@ GRUB_MOD_LICENSE ("GPLv3+"); + #define EXT3_JOURNAL_FLAG_DELETED 4 + #define EXT3_JOURNAL_FLAG_LAST_TAG 8 + ++#define EXT4_ENCRYPT_FLAG 0x800 + #define EXT4_EXTENTS_FLAG 0x80000 + + /* The ext2 superblock. */ +@@ -706,6 +709,12 @@ grub_ext2_read_symlink (grub_fshelp_node_t node) + grub_ext2_read_inode (diro->data, diro->ino, &diro->inode); + if (grub_errno) + return 0; ++ ++ if (diro->inode.flags & grub_cpu_to_le32_compile_time (EXT4_ENCRYPT_FLAG)) ++ { ++ grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "symlink is encrypted"); ++ return 0; ++ } + } + + symlink = grub_malloc (grub_le_to_cpu32 (diro->inode.size) + 1); +@@ -749,6 +758,12 @@ grub_ext2_iterate_dir (grub_fshelp_node_t dir, + return 0; + } + ++ if (diro->inode.flags & grub_cpu_to_le32_compile_time (EXT4_ENCRYPT_FLAG)) ++ { ++ grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "directory is encrypted"); ++ return 0; ++ } ++ + /* Search the file. */ + while (fpos < grub_le_to_cpu32 (diro->inode.size)) + { +@@ -859,6 +874,12 @@ grub_ext2_open (struct grub_file *file, const char *name) + goto fail; + } + ++ if (fdiro->inode.flags & grub_cpu_to_le32_compile_time (EXT4_ENCRYPT_FLAG)) ++ { ++ err = grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "file is encrypted"); ++ goto fail; ++ } ++ + grub_memcpy (data->inode, &fdiro->inode, sizeof (struct grub_ext2_inode)); + grub_free (fdiro); + +diff --git a/tests/ext234_test.in b/tests/ext234_test.in +index 892b99c..4f1eb52 100644 +--- a/tests/ext234_test.in ++++ b/tests/ext234_test.in +@@ -30,3 +30,4 @@ fi + "@builddir@/grub-fs-tester" ext3 + "@builddir@/grub-fs-tester" ext4 + "@builddir@/grub-fs-tester" ext4_metabg ++"@builddir@/grub-fs-tester" ext4_encrypt +diff --git a/tests/util/grub-fs-tester.in b/tests/util/grub-fs-tester.in +index 88cbe73..fd7e0f1 100644 +--- a/tests/util/grub-fs-tester.in ++++ b/tests/util/grub-fs-tester.in +@@ -156,6 +156,12 @@ for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do + # Could go further but what's the point? + MAXBLKSIZE=$((65536*1024)) + ;; ++ xext4_encrypt) ++ # OS LIMITATION: Linux currently only allows the 'encrypt' feature ++ # in combination with block_size = PAGE_SIZE (4096 bytes on x86). ++ MINBLKSIZE=$(getconf PAGE_SIZE) ++ MAXBLKSIZE=$MINBLKSIZE ++ ;; + xext*) + MINBLKSIZE=1024 + if [ $MINBLKSIZE -lt $SECSIZE ]; then +@@ -796,6 +802,10 @@ for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do + MKE2FS_DEVICE_SECTSIZE=$SECSIZE "mkfs.ext4" -O meta_bg,^resize_inode -b $BLKSIZE -L "$FSLABEL" -q "${MOUNTDEVICE}" + MOUNTFS=ext4 + ;; ++ xext4_encrypt) ++ MKE2FS_DEVICE_SECTSIZE=$SECSIZE "mkfs.ext4" -O encrypt -b $BLKSIZE -L "$FSLABEL" -q "${MOUNTDEVICE}" ++ MOUNTFS=ext4 ++ ;; + xext*) + MKE2FS_DEVICE_SECTSIZE=$SECSIZE "mkfs.$fs" -b $BLKSIZE -L "$FSLABEL" -q "${MOUNTDEVICE}" ;; + xxfs) +-- +cgit v1.0-41-gc330 + diff --git a/libre/grub/PKGBUILD b/libre/grub/PKGBUILD index 30aa70888..a2628e2dd 100644 --- a/libre/grub/PKGBUILD +++ b/libre/grub/PKGBUILD @@ -2,8 +2,9 @@ # Maintainer (Arch): Ronald van Haren # Contributor (Arch): Tobias Powalowski # Contributor (Arch): Keshav Amburay <(the ddoott ridikulus ddoott rat) (aatt) (gemmaeiil) (ddoott) (ccoomm)> -# Maintainer: André Silva -# Maintainer: Márcio Silva +# Maintainer (Hyperbola): André Silva +# Maintainer (Hyperbola): Márcio Silva +# Maintainer: Omar Vega Ramos ## '1' to enable Xen support, '0' to disable _XEN='1' @@ -19,7 +20,7 @@ _GRUB_EMU_BUILD='0' _GRUB_EXTRAS_COMMIT=f2a079441939eee7251bf141986cdd78946e1d20 -_UNIFONT_VER='9.0.06' +_UNIFONT_VER='10.0.06' [[ "${CARCH}" = 'armv7h' ]] && _EFI_ARCH='arm' [[ "${CARCH}" = 'x86_64' ]] && _EFI_ARCH='x86_64' @@ -38,7 +39,7 @@ pkgname=('grub') 'grub-omap3_beagle_xm' 'grub-omap3_beagle_xm_ab') pkgdesc='GNU GRand Unified Bootloader (2), (Parabola rebranded)' pkgver='2.02' -pkgrel='1.parabola1.2' +pkgrel='3.parabola1' epoch='2' url='https://www.gnu.org/software/grub/' arch=('x86_64' 'i686' 'armv7h') @@ -72,11 +73,12 @@ elif [[ "${CARCH}" = 'armv7h' ]]; then replaces=('grub-common' 'grub-emu' "grub-efi-${_EFI_ARCH}") fi -source=("http://ftp.gnu.org/gnu/${pkgname}/${pkgname}-${pkgver}.tar.xz"{,.sig} - "grub-extras::git+git://git.sv.gnu.org/grub-extras.git#commit=${_GRUB_EXTRAS_COMMIT}" +source=("https://ftp.gnu.org/gnu/${pkgname}/${pkgname}-${pkgver}.tar.xz"{,.sig} + "https://git.savannah.nongnu.org/cgit/grub-extras.git/snapshot/grub-extras-${_GRUB_EXTRAS_COMMIT}.tar.gz" "https://ftp.gnu.org/gnu/unifont/unifont-${_UNIFONT_VER}/unifont-${_UNIFONT_VER}.bdf.gz"{,.sig} '0003-10_linux-20_linux_xen-detect-parabola-initramfs.patch' '0004-add-GRUB_COLOR_variables.patch' + '0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch' 'grub.default' '0003-10_linux-20_linux_xen-detect-am335x_bone+am335x_boneblack-devicetree-file.patch' '0003-10_linux-20_linux_xen-detect-omap3_beagle-devicetree-file.patch' @@ -85,20 +87,21 @@ source=("http://ftp.gnu.org/gnu/${pkgname}/${pkgname}-${pkgver}.tar.xz"{,.sig} '0003-10_linux-20_linux_xen-detect-udoo-devicetree-file.patch' '0003-10_linux-20_linux_xen-rebrand-free-distros.patch') -sha512sums=('cc6eb0a42b5c8df2f671cc128ff725afb3ff1f8832a196022e433cf0d3b75decfca2316d0aa5fabea75747d55e88f3d021dd93508563f8ca80fd7b9e7fe1f088' +sha256sums=('810b3798d316394f94096ec2797909dbf23c858e48f7b3830826b8daa06b7b0f' 'SKIP' + '2844601914cea6b1231eca0104853a93c4d67a5209933a0766f1475953300646' + '0d81571fc519573057b7641d26a31ead55cc0b02a931589fb346a3a534c3dcc1' 'SKIP' - 'dac2becc7fa76847231ce30a4b9e22fc9d45fb50846fc7f25611c5c2cbedc31e7745d9295bab3eb7a01efad4f1f2f1161c98efa60048e756421075220817f4b8' - 'SKIP' - '3529ab4d08a4165e081c49dfc1cf40079ad9a1b9dd7ab6d39147fc347cb6aa615fd90292ecd5ecbfb543bf444bef27043a2392029d0210f9b4a6369365d3da1b' - '0ae2f50a397268ea0ff46faa180e699ba956acaa68504d9dde7c33ab194430df57c2e2e5f9fe30b6c31e7806666faad4b274747ba151035e338bcaab3d875c3e' - '96e49cf3d783f5c8caffd60ea6e72112a12854519dc89a18938f372f7413b3fe99339ed8ad9d660ba457e67436cf7c444dc852455b90efa5546729180b88c3a8' - '04262a4a95fa58967e147e39ea71b08cc99aa32a1f0357c46292743f3ea8c05a6ff6fcfc3516a9b61a2a3050781017ed2cabf53fc327b39f7e957d0ddf778165' - 'a406ec5a83d1c03dadc1444d91f1b5e682bc74562dcf6e455009d043015dc2316509517f61c76e2ffec4dce5d03702ae47f2dd9b25671a4d7889e2744b090631' - '46fb2eeb2856bbdda8e115fc9beb61744e3a0bc9a178ec5d01c36a429691ca2362925382eca3144f2ee2438e69e508043d8f2445a6bef79e63e455fb08293426' - '55fb8ea488bb0936a4830eab943cdde986f351796cea259403fa947605c9d39526e0aec987da118cc6cf4c3bbe2a56326a218fbb0709ee7717a62a36a3d31697' - '378635a2a8a685f4efd300f19d7f2192dc664fd16811953520e0d49d90a5af377fa0dc45e0d2abc0d9f6750cd4cf885d6ef54445f7e8d3ed0025f2d087351bfc' - 'eced721bab4256b9afb322cda7b599ac1cae9dfe2effd1d86569bd3bef056cab80783da25181e627abc2422f4048200ae8b46c7dfe5df4441a55ae00434cd172') + '3f68a78ecba0284b9d39af60431236cb2ebc8547d3dc1fb26a1ac7a6b9afbbc7' + 'a5198267ceb04dceb6d2ea7800281a42b3f91fd02da55d2cc9ea20d47273ca29' + '535422c510a050d41efe7720dbe54de29e04bdb8f86fd5aea5feb0b24f7abe46' + '959f3d8d65d9504df798924554c3de0e92dfcd39e087b099a5f5e0a9b7885102' + '9ece1db537a989ce4dc55ece471883e19b8ab16902f8c4feb68436c3b5700f71' + 'de71452b9b0fbfb08ea742e9fa217ab34fddf6312452f155fb9d82ebf1c024a5' + '222da944b4af43a1d86be0e3d91f2e1a82324fa51c7ad36cc25246ffa3739ab1' + '9002c69e74143553ef8cdd32ca04e8bdcb7a1a0ba1c4564163bae061fe68d855' + '6584a0dda9dbf6d70dbdfba619abbb628b1a092bd61d6d05e462d6771354223b' + '7374137d183957ec8834ce749163c9fa98ff8ee61bbb74b0b38e29daf93857a4') validpgpkeys=('E53D497F3FA42AD8C9B4D1E835A93B74E82E4209' # Vladimir 'phcoder' Serbinenko '95D2E9AB8740D8046387FD151A09227B1F435A33') #Paul Hardy @@ -113,6 +116,9 @@ prepare() { ## Based on http://lists.gnu.org/archive/html/grub-devel/2012-02/msg00021.html patch -Np1 -i "${srcdir}/0004-add-GRUB_COLOR_variables.patch" + msg "Patch to allow GRUB to mount ext2/3/4 filesystems that have the encryption feature" + patch -Np1 -i "${srcdir}/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch" + msg 'Fix DejaVuSans.ttf location so that grub-mkfont can create *.pf2 files for starfield theme' sed 's|/usr/share/fonts/dejavu|/usr/share/fonts/dejavu /usr/share/fonts/TTF|g' -i "configure.ac" @@ -128,12 +134,14 @@ prepare() { msg 'Remove not working langs which need LC_ALL=C.UTF-8' sed -e 's#en@cyrillic en@greek##g' -i "po/LINGUAS" - msg 'Avoid problem with unifont during compile of grub, http://savannah.gnu.org/bugs/?40330 and https://bugs.archlinux.org/task/37847' + msg "Avoid problem with unifont during compile of grub" + # http://savannah.gnu.org/bugs/?40330 and https://bugs.archlinux.org/task/37847 cp "${srcdir}/unifont-${_UNIFONT_VER}.bdf" "unifont.bdf" msg "Add the grub-extra sources for BIOS build" install -d "grub-extras" - cp -r "${srcdir}/grub-extras/915resolution" "grub-extras/915resolution" + cp -r "${srcdir}/grub-extras-${_GRUB_EXTRAS_COMMIT}/915resolution" \ + "grub-extras/915resolution" export GRUB_CONTRIB="${srcdir}/grub-${pkgver}/grub-extras/" } diff --git a/libre/grub/grub.default b/libre/grub/grub.default index 56585a47d..af9d70ca9 100644 --- a/libre/grub/grub.default +++ b/libre/grub/grub.default @@ -1,3 +1,5 @@ +# GRUB boot loader configuration + GRUB_DEFAULT=0 GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR="Parabola" @@ -7,6 +9,9 @@ GRUB_CMDLINE_LINUX="" # Preload both GPT and MBR modules so that they are not missed GRUB_PRELOAD_MODULES="part_gpt part_msdos" +# Uncomment to enable booting from LUKS encrypted devices +#GRUB_ENABLE_CRYPTODISK=y + # Uncomment to enable Hidden Menu, and optionally hide the timeout count #GRUB_HIDDEN_TIMEOUT=5 #GRUB_HIDDEN_TIMEOUT_QUIET=true @@ -25,14 +30,14 @@ GRUB_GFXMODE=auto # Uncomment to allow the kernel use the same resolution used by grub GRUB_GFXPAYLOAD_LINUX=keep -# Uncomment if you want GRUB to pass to the Linux kernel the old parameter -# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx" +# Uncomment if you want GRUB to pass to the Linux kernel the old parameter +# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx" #GRUB_DISABLE_LINUX_UUID=true # Uncomment to disable generation of recovery mode menu entries GRUB_DISABLE_RECOVERY=true -# Uncomment and set to the desired menu colors. Used by normal and wallpaper +# Uncomment and set to the desired menu colors. Used by normal and wallpaper # modes only. Entries specified as foreground/background. GRUB_COLOR_NORMAL="magenta/black" GRUB_COLOR_HIGHLIGHT="white/magenta" @@ -44,6 +49,8 @@ GRUB_COLOR_HIGHLIGHT="white/magenta" # Uncomment to get a beep at GRUB start #GRUB_INIT_TUNE="480 440 1" +# Uncomment to make GRUB remember the last selection. This requires to +# set 'GRUB_DEFAULT=saved' above. #GRUB_SAVEDEFAULT="true" # Disable advanced submenu -- cgit v1.2.2