From 91873762712707aaf573dd5a08624447b6aeccfe Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Fri, 8 Sep 2017 10:09:30 +0000 Subject: [PATCH] upgpkg: 2:2.02-2 Allow GRUB to mount ext2/3/4 filesystems that have the encryption feature (FS#51879) --- ...ems_that_have_the_encryption_feature.patch | 140 ++++++++++++++++++ PKGBUILD | 8 +- 2 files changed, 147 insertions(+), 1 deletion(-) create mode 100644 0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch diff --git a/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch b/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch new file mode 100644 index 0000000..22d6292 --- /dev/null +++ b/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch @@ -0,0 +1,140 @@ +From 734668238fcc0ef691a080839e04f33854fa133a Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 29 Jun 2017 13:27:49 +0000 +Subject: Allow GRUB to mount ext2/3/4 filesystems that have the encryption + feature. + +On such a filesystem, inodes may have EXT4_ENCRYPT_FLAG set. +For a regular file, this means its contents are encrypted; for a +directory, this means the filenames in its directory entries are +encrypted; and for a symlink, this means its target is encrypted. Since +GRUB cannot decrypt encrypted contents or filenames, just issue an error +if it would need to do so. This is sufficient to allow unencrypted boot +files to co-exist with encrypted files elsewhere on the filesystem. + +(Note that encrypted regular files and symlinks will not normally be +encountered outside an encrypted directory; however, it's possible via +hard links, so they still need to be handled.) + +Tested by booting from an ext4 /boot partition on which I had run +'tune2fs -O encrypt'. I also verified that the expected error messages +are printed when trying to access encrypted directories, files, and +symlinks from the GRUB command line. Also ran 'sudo ./grub-fs-tester +ext4_encrypt'; note that this requires e2fsprogs v1.43+ and Linux v4.1+. + +Signed-off-by: Eric Biggers +--- + grub-core/fs/ext2.c | 23 ++++++++++++++++++++++- + tests/ext234_test.in | 1 + + tests/util/grub-fs-tester.in | 10 ++++++++++ + 3 files changed, 33 insertions(+), 1 deletion(-) + +diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c +index cdce63b..b8ad75a 100644 +--- a/grub-core/fs/ext2.c ++++ b/grub-core/fs/ext2.c +@@ -102,6 +102,7 @@ GRUB_MOD_LICENSE ("GPLv3+"); + #define EXT4_FEATURE_INCOMPAT_64BIT 0x0080 + #define EXT4_FEATURE_INCOMPAT_MMP 0x0100 + #define EXT4_FEATURE_INCOMPAT_FLEX_BG 0x0200 ++#define EXT4_FEATURE_INCOMPAT_ENCRYPT 0x10000 + + /* The set of back-incompatible features this driver DOES support. Add (OR) + * flags here as the related features are implemented into the driver. */ +@@ -109,7 +110,8 @@ GRUB_MOD_LICENSE ("GPLv3+"); + | EXT4_FEATURE_INCOMPAT_EXTENTS \ + | EXT4_FEATURE_INCOMPAT_FLEX_BG \ + | EXT2_FEATURE_INCOMPAT_META_BG \ +- | EXT4_FEATURE_INCOMPAT_64BIT) ++ | EXT4_FEATURE_INCOMPAT_64BIT \ ++ | EXT4_FEATURE_INCOMPAT_ENCRYPT) + /* List of rationales for the ignored "incompatible" features: + * needs_recovery: Not really back-incompatible - was added as such to forbid + * ext2 drivers from mounting an ext3 volume with a dirty +@@ -138,6 +140,7 @@ GRUB_MOD_LICENSE ("GPLv3+"); + #define EXT3_JOURNAL_FLAG_DELETED 4 + #define EXT3_JOURNAL_FLAG_LAST_TAG 8 + ++#define EXT4_ENCRYPT_FLAG 0x800 + #define EXT4_EXTENTS_FLAG 0x80000 + + /* The ext2 superblock. */ +@@ -706,6 +709,12 @@ grub_ext2_read_symlink (grub_fshelp_node_t node) + grub_ext2_read_inode (diro->data, diro->ino, &diro->inode); + if (grub_errno) + return 0; ++ ++ if (diro->inode.flags & grub_cpu_to_le32_compile_time (EXT4_ENCRYPT_FLAG)) ++ { ++ grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "symlink is encrypted"); ++ return 0; ++ } + } + + symlink = grub_malloc (grub_le_to_cpu32 (diro->inode.size) + 1); +@@ -749,6 +758,12 @@ grub_ext2_iterate_dir (grub_fshelp_node_t dir, + return 0; + } + ++ if (diro->inode.flags & grub_cpu_to_le32_compile_time (EXT4_ENCRYPT_FLAG)) ++ { ++ grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "directory is encrypted"); ++ return 0; ++ } ++ + /* Search the file. */ + while (fpos < grub_le_to_cpu32 (diro->inode.size)) + { +@@ -859,6 +874,12 @@ grub_ext2_open (struct grub_file *file, const char *name) + goto fail; + } + ++ if (fdiro->inode.flags & grub_cpu_to_le32_compile_time (EXT4_ENCRYPT_FLAG)) ++ { ++ err = grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "file is encrypted"); ++ goto fail; ++ } ++ + grub_memcpy (data->inode, &fdiro->inode, sizeof (struct grub_ext2_inode)); + grub_free (fdiro); + +diff --git a/tests/ext234_test.in b/tests/ext234_test.in +index 892b99c..4f1eb52 100644 +--- a/tests/ext234_test.in ++++ b/tests/ext234_test.in +@@ -30,3 +30,4 @@ fi + "@builddir@/grub-fs-tester" ext3 + "@builddir@/grub-fs-tester" ext4 + "@builddir@/grub-fs-tester" ext4_metabg ++"@builddir@/grub-fs-tester" ext4_encrypt +diff --git a/tests/util/grub-fs-tester.in b/tests/util/grub-fs-tester.in +index 88cbe73..fd7e0f1 100644 +--- a/tests/util/grub-fs-tester.in ++++ b/tests/util/grub-fs-tester.in +@@ -156,6 +156,12 @@ for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do + # Could go further but what's the point? + MAXBLKSIZE=$((65536*1024)) + ;; ++ xext4_encrypt) ++ # OS LIMITATION: Linux currently only allows the 'encrypt' feature ++ # in combination with block_size = PAGE_SIZE (4096 bytes on x86). ++ MINBLKSIZE=$(getconf PAGE_SIZE) ++ MAXBLKSIZE=$MINBLKSIZE ++ ;; + xext*) + MINBLKSIZE=1024 + if [ $MINBLKSIZE -lt $SECSIZE ]; then +@@ -796,6 +802,10 @@ for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do + MKE2FS_DEVICE_SECTSIZE=$SECSIZE "mkfs.ext4" -O meta_bg,^resize_inode -b $BLKSIZE -L "$FSLABEL" -q "${MOUNTDEVICE}" + MOUNTFS=ext4 + ;; ++ xext4_encrypt) ++ MKE2FS_DEVICE_SECTSIZE=$SECSIZE "mkfs.ext4" -O encrypt -b $BLKSIZE -L "$FSLABEL" -q "${MOUNTDEVICE}" ++ MOUNTFS=ext4 ++ ;; + xext*) + MKE2FS_DEVICE_SECTSIZE=$SECSIZE "mkfs.$fs" -b $BLKSIZE -L "$FSLABEL" -q "${MOUNTDEVICE}" ;; + xxfs) +-- +cgit v1.0-41-gc330 + diff --git a/PKGBUILD b/PKGBUILD index d0167c5..f5f5e48 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -22,7 +22,7 @@ _UNIFONT_VER="9.0.06" pkgname="grub" pkgdesc="GNU GRand Unified Bootloader (2)" pkgver=2.02 -pkgrel=1 +pkgrel=2 epoch=2 url="https://www.gnu.org/software/grub/" arch=('x86_64' 'i686') @@ -63,6 +63,7 @@ source=("https://ftp.gnu.org/gnu/${pkgname}/${pkgname}-${pkgver}.tar.xz"{,.sig} '0002-intel-ucode.patch' '0003-10_linux-detect-archlinux-initramfs.patch' '0004-add-GRUB_COLOR_variables.patch' + '0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch' 'grub.default' 'grub.cfg') @@ -74,6 +75,7 @@ sha256sums=('810b3798d316394f94096ec2797909dbf23c858e48f7b3830826b8daa06b7b0f' '37adb95049f6cdcbdbf60ed6b6440c5be99a4cd307a0f96c3c3837b6c2e07f3c' 'b41e4438319136b5e74e0abdfcb64ae115393e4e15207490272c425f54026dd3' 'a5198267ceb04dceb6d2ea7800281a42b3f91fd02da55d2cc9ea20d47273ca29' + '535422c510a050d41efe7720dbe54de29e04bdb8f86fd5aea5feb0b24f7abe46' 'df764fbd876947dea973017f95371e53833bf878458140b09f0b70d900235676' 'c5e4f3836130c6885e9273c21f057263eba53f4b7c0e2f111f6e5f2e487a47ad') @@ -93,6 +95,10 @@ prepare() { patch -Np1 -i "${srcdir}/0004-add-GRUB_COLOR_variables.patch" echo + msg "Patch to allow GRUB to mount ext2/3/4 filesystems that have the encryption feature" + patch -Np1 -i "${srcdir}/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch" + echo + msg "Fix DejaVuSans.ttf location so that grub-mkfont can create *.pf2 files for starfield theme" sed 's|/usr/share/fonts/dejavu|/usr/share/fonts/dejavu /usr/share/fonts/TTF|g' -i "configure.ac"