upgpkg: 2:2.02-2

Allow GRUB to mount ext2/3/4 filesystems that have the encryption feature (FS#51879)
This commit is contained in:
Christian Hesse 2017-09-08 10:09:30 +00:00
parent 133361bf63
commit 9187376271
2 changed files with 147 additions and 1 deletions

View File

@ -0,0 +1,140 @@
From 734668238fcc0ef691a080839e04f33854fa133a Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Thu, 29 Jun 2017 13:27:49 +0000
Subject: Allow GRUB to mount ext2/3/4 filesystems that have the encryption
feature.
On such a filesystem, inodes may have EXT4_ENCRYPT_FLAG set.
For a regular file, this means its contents are encrypted; for a
directory, this means the filenames in its directory entries are
encrypted; and for a symlink, this means its target is encrypted. Since
GRUB cannot decrypt encrypted contents or filenames, just issue an error
if it would need to do so. This is sufficient to allow unencrypted boot
files to co-exist with encrypted files elsewhere on the filesystem.
(Note that encrypted regular files and symlinks will not normally be
encountered outside an encrypted directory; however, it's possible via
hard links, so they still need to be handled.)
Tested by booting from an ext4 /boot partition on which I had run
'tune2fs -O encrypt'. I also verified that the expected error messages
are printed when trying to access encrypted directories, files, and
symlinks from the GRUB command line. Also ran 'sudo ./grub-fs-tester
ext4_encrypt'; note that this requires e2fsprogs v1.43+ and Linux v4.1+.
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
grub-core/fs/ext2.c | 23 ++++++++++++++++++++++-
tests/ext234_test.in | 1 +
tests/util/grub-fs-tester.in | 10 ++++++++++
3 files changed, 33 insertions(+), 1 deletion(-)
diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c
index cdce63b..b8ad75a 100644
--- a/grub-core/fs/ext2.c
+++ b/grub-core/fs/ext2.c
@@ -102,6 +102,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
#define EXT4_FEATURE_INCOMPAT_64BIT 0x0080
#define EXT4_FEATURE_INCOMPAT_MMP 0x0100
#define EXT4_FEATURE_INCOMPAT_FLEX_BG 0x0200
+#define EXT4_FEATURE_INCOMPAT_ENCRYPT 0x10000
/* The set of back-incompatible features this driver DOES support. Add (OR)
* flags here as the related features are implemented into the driver. */
@@ -109,7 +110,8 @@ GRUB_MOD_LICENSE ("GPLv3+");
| EXT4_FEATURE_INCOMPAT_EXTENTS \
| EXT4_FEATURE_INCOMPAT_FLEX_BG \
| EXT2_FEATURE_INCOMPAT_META_BG \
- | EXT4_FEATURE_INCOMPAT_64BIT)
+ | EXT4_FEATURE_INCOMPAT_64BIT \
+ | EXT4_FEATURE_INCOMPAT_ENCRYPT)
/* List of rationales for the ignored "incompatible" features:
* needs_recovery: Not really back-incompatible - was added as such to forbid
* ext2 drivers from mounting an ext3 volume with a dirty
@@ -138,6 +140,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
#define EXT3_JOURNAL_FLAG_DELETED 4
#define EXT3_JOURNAL_FLAG_LAST_TAG 8
+#define EXT4_ENCRYPT_FLAG 0x800
#define EXT4_EXTENTS_FLAG 0x80000
/* The ext2 superblock. */
@@ -706,6 +709,12 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
grub_ext2_read_inode (diro->data, diro->ino, &diro->inode);
if (grub_errno)
return 0;
+
+ if (diro->inode.flags & grub_cpu_to_le32_compile_time (EXT4_ENCRYPT_FLAG))
+ {
+ grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "symlink is encrypted");
+ return 0;
+ }
}
symlink = grub_malloc (grub_le_to_cpu32 (diro->inode.size) + 1);
@@ -749,6 +758,12 @@ grub_ext2_iterate_dir (grub_fshelp_node_t dir,
return 0;
}
+ if (diro->inode.flags & grub_cpu_to_le32_compile_time (EXT4_ENCRYPT_FLAG))
+ {
+ grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "directory is encrypted");
+ return 0;
+ }
+
/* Search the file. */
while (fpos < grub_le_to_cpu32 (diro->inode.size))
{
@@ -859,6 +874,12 @@ grub_ext2_open (struct grub_file *file, const char *name)
goto fail;
}
+ if (fdiro->inode.flags & grub_cpu_to_le32_compile_time (EXT4_ENCRYPT_FLAG))
+ {
+ err = grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "file is encrypted");
+ goto fail;
+ }
+
grub_memcpy (data->inode, &fdiro->inode, sizeof (struct grub_ext2_inode));
grub_free (fdiro);
diff --git a/tests/ext234_test.in b/tests/ext234_test.in
index 892b99c..4f1eb52 100644
--- a/tests/ext234_test.in
+++ b/tests/ext234_test.in
@@ -30,3 +30,4 @@ fi
"@builddir@/grub-fs-tester" ext3
"@builddir@/grub-fs-tester" ext4
"@builddir@/grub-fs-tester" ext4_metabg
+"@builddir@/grub-fs-tester" ext4_encrypt
diff --git a/tests/util/grub-fs-tester.in b/tests/util/grub-fs-tester.in
index 88cbe73..fd7e0f1 100644
--- a/tests/util/grub-fs-tester.in
+++ b/tests/util/grub-fs-tester.in
@@ -156,6 +156,12 @@ for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do
# Could go further but what's the point?
MAXBLKSIZE=$((65536*1024))
;;
+ xext4_encrypt)
+ # OS LIMITATION: Linux currently only allows the 'encrypt' feature
+ # in combination with block_size = PAGE_SIZE (4096 bytes on x86).
+ MINBLKSIZE=$(getconf PAGE_SIZE)
+ MAXBLKSIZE=$MINBLKSIZE
+ ;;
xext*)
MINBLKSIZE=1024
if [ $MINBLKSIZE -lt $SECSIZE ]; then
@@ -796,6 +802,10 @@ for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do
MKE2FS_DEVICE_SECTSIZE=$SECSIZE "mkfs.ext4" -O meta_bg,^resize_inode -b $BLKSIZE -L "$FSLABEL" -q "${MOUNTDEVICE}"
MOUNTFS=ext4
;;
+ xext4_encrypt)
+ MKE2FS_DEVICE_SECTSIZE=$SECSIZE "mkfs.ext4" -O encrypt -b $BLKSIZE -L "$FSLABEL" -q "${MOUNTDEVICE}"
+ MOUNTFS=ext4
+ ;;
xext*)
MKE2FS_DEVICE_SECTSIZE=$SECSIZE "mkfs.$fs" -b $BLKSIZE -L "$FSLABEL" -q "${MOUNTDEVICE}" ;;
xxfs)
--
cgit v1.0-41-gc330

View File

@ -22,7 +22,7 @@ _UNIFONT_VER="9.0.06"
pkgname="grub" pkgname="grub"
pkgdesc="GNU GRand Unified Bootloader (2)" pkgdesc="GNU GRand Unified Bootloader (2)"
pkgver=2.02 pkgver=2.02
pkgrel=1 pkgrel=2
epoch=2 epoch=2
url="https://www.gnu.org/software/grub/" url="https://www.gnu.org/software/grub/"
arch=('x86_64' 'i686') arch=('x86_64' 'i686')
@ -63,6 +63,7 @@ source=("https://ftp.gnu.org/gnu/${pkgname}/${pkgname}-${pkgver}.tar.xz"{,.sig}
'0002-intel-ucode.patch' '0002-intel-ucode.patch'
'0003-10_linux-detect-archlinux-initramfs.patch' '0003-10_linux-detect-archlinux-initramfs.patch'
'0004-add-GRUB_COLOR_variables.patch' '0004-add-GRUB_COLOR_variables.patch'
'0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch'
'grub.default' 'grub.default'
'grub.cfg') 'grub.cfg')
@ -74,6 +75,7 @@ sha256sums=('810b3798d316394f94096ec2797909dbf23c858e48f7b3830826b8daa06b7b0f'
'37adb95049f6cdcbdbf60ed6b6440c5be99a4cd307a0f96c3c3837b6c2e07f3c' '37adb95049f6cdcbdbf60ed6b6440c5be99a4cd307a0f96c3c3837b6c2e07f3c'
'b41e4438319136b5e74e0abdfcb64ae115393e4e15207490272c425f54026dd3' 'b41e4438319136b5e74e0abdfcb64ae115393e4e15207490272c425f54026dd3'
'a5198267ceb04dceb6d2ea7800281a42b3f91fd02da55d2cc9ea20d47273ca29' 'a5198267ceb04dceb6d2ea7800281a42b3f91fd02da55d2cc9ea20d47273ca29'
'535422c510a050d41efe7720dbe54de29e04bdb8f86fd5aea5feb0b24f7abe46'
'df764fbd876947dea973017f95371e53833bf878458140b09f0b70d900235676' 'df764fbd876947dea973017f95371e53833bf878458140b09f0b70d900235676'
'c5e4f3836130c6885e9273c21f057263eba53f4b7c0e2f111f6e5f2e487a47ad') 'c5e4f3836130c6885e9273c21f057263eba53f4b7c0e2f111f6e5f2e487a47ad')
@ -93,6 +95,10 @@ prepare() {
patch -Np1 -i "${srcdir}/0004-add-GRUB_COLOR_variables.patch" patch -Np1 -i "${srcdir}/0004-add-GRUB_COLOR_variables.patch"
echo echo
msg "Patch to allow GRUB to mount ext2/3/4 filesystems that have the encryption feature"
patch -Np1 -i "${srcdir}/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch"
echo
msg "Fix DejaVuSans.ttf location so that grub-mkfont can create *.pf2 files for starfield theme" msg "Fix DejaVuSans.ttf location so that grub-mkfont can create *.pf2 files for starfield theme"
sed 's|/usr/share/fonts/dejavu|/usr/share/fonts/dejavu /usr/share/fonts/TTF|g' -i "configure.ac" sed 's|/usr/share/fonts/dejavu|/usr/share/fonts/dejavu /usr/share/fonts/TTF|g' -i "configure.ac"