upgpkg: 2:2.02-2
Allow GRUB to mount ext2/3/4 filesystems that have the encryption feature (FS#51879)
This commit is contained in:
parent
133361bf63
commit
9187376271
@ -0,0 +1,140 @@
|
|||||||
|
From 734668238fcc0ef691a080839e04f33854fa133a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Eric Biggers <ebiggers@google.com>
|
||||||
|
Date: Thu, 29 Jun 2017 13:27:49 +0000
|
||||||
|
Subject: Allow GRUB to mount ext2/3/4 filesystems that have the encryption
|
||||||
|
feature.
|
||||||
|
|
||||||
|
On such a filesystem, inodes may have EXT4_ENCRYPT_FLAG set.
|
||||||
|
For a regular file, this means its contents are encrypted; for a
|
||||||
|
directory, this means the filenames in its directory entries are
|
||||||
|
encrypted; and for a symlink, this means its target is encrypted. Since
|
||||||
|
GRUB cannot decrypt encrypted contents or filenames, just issue an error
|
||||||
|
if it would need to do so. This is sufficient to allow unencrypted boot
|
||||||
|
files to co-exist with encrypted files elsewhere on the filesystem.
|
||||||
|
|
||||||
|
(Note that encrypted regular files and symlinks will not normally be
|
||||||
|
encountered outside an encrypted directory; however, it's possible via
|
||||||
|
hard links, so they still need to be handled.)
|
||||||
|
|
||||||
|
Tested by booting from an ext4 /boot partition on which I had run
|
||||||
|
'tune2fs -O encrypt'. I also verified that the expected error messages
|
||||||
|
are printed when trying to access encrypted directories, files, and
|
||||||
|
symlinks from the GRUB command line. Also ran 'sudo ./grub-fs-tester
|
||||||
|
ext4_encrypt'; note that this requires e2fsprogs v1.43+ and Linux v4.1+.
|
||||||
|
|
||||||
|
Signed-off-by: Eric Biggers <ebiggers@google.com>
|
||||||
|
---
|
||||||
|
grub-core/fs/ext2.c | 23 ++++++++++++++++++++++-
|
||||||
|
tests/ext234_test.in | 1 +
|
||||||
|
tests/util/grub-fs-tester.in | 10 ++++++++++
|
||||||
|
3 files changed, 33 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c
|
||||||
|
index cdce63b..b8ad75a 100644
|
||||||
|
--- a/grub-core/fs/ext2.c
|
||||||
|
+++ b/grub-core/fs/ext2.c
|
||||||
|
@@ -102,6 +102,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
#define EXT4_FEATURE_INCOMPAT_64BIT 0x0080
|
||||||
|
#define EXT4_FEATURE_INCOMPAT_MMP 0x0100
|
||||||
|
#define EXT4_FEATURE_INCOMPAT_FLEX_BG 0x0200
|
||||||
|
+#define EXT4_FEATURE_INCOMPAT_ENCRYPT 0x10000
|
||||||
|
|
||||||
|
/* The set of back-incompatible features this driver DOES support. Add (OR)
|
||||||
|
* flags here as the related features are implemented into the driver. */
|
||||||
|
@@ -109,7 +110,8 @@ GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
| EXT4_FEATURE_INCOMPAT_EXTENTS \
|
||||||
|
| EXT4_FEATURE_INCOMPAT_FLEX_BG \
|
||||||
|
| EXT2_FEATURE_INCOMPAT_META_BG \
|
||||||
|
- | EXT4_FEATURE_INCOMPAT_64BIT)
|
||||||
|
+ | EXT4_FEATURE_INCOMPAT_64BIT \
|
||||||
|
+ | EXT4_FEATURE_INCOMPAT_ENCRYPT)
|
||||||
|
/* List of rationales for the ignored "incompatible" features:
|
||||||
|
* needs_recovery: Not really back-incompatible - was added as such to forbid
|
||||||
|
* ext2 drivers from mounting an ext3 volume with a dirty
|
||||||
|
@@ -138,6 +140,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
#define EXT3_JOURNAL_FLAG_DELETED 4
|
||||||
|
#define EXT3_JOURNAL_FLAG_LAST_TAG 8
|
||||||
|
|
||||||
|
+#define EXT4_ENCRYPT_FLAG 0x800
|
||||||
|
#define EXT4_EXTENTS_FLAG 0x80000
|
||||||
|
|
||||||
|
/* The ext2 superblock. */
|
||||||
|
@@ -706,6 +709,12 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
|
||||||
|
grub_ext2_read_inode (diro->data, diro->ino, &diro->inode);
|
||||||
|
if (grub_errno)
|
||||||
|
return 0;
|
||||||
|
+
|
||||||
|
+ if (diro->inode.flags & grub_cpu_to_le32_compile_time (EXT4_ENCRYPT_FLAG))
|
||||||
|
+ {
|
||||||
|
+ grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "symlink is encrypted");
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
symlink = grub_malloc (grub_le_to_cpu32 (diro->inode.size) + 1);
|
||||||
|
@@ -749,6 +758,12 @@ grub_ext2_iterate_dir (grub_fshelp_node_t dir,
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (diro->inode.flags & grub_cpu_to_le32_compile_time (EXT4_ENCRYPT_FLAG))
|
||||||
|
+ {
|
||||||
|
+ grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "directory is encrypted");
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* Search the file. */
|
||||||
|
while (fpos < grub_le_to_cpu32 (diro->inode.size))
|
||||||
|
{
|
||||||
|
@@ -859,6 +874,12 @@ grub_ext2_open (struct grub_file *file, const char *name)
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (fdiro->inode.flags & grub_cpu_to_le32_compile_time (EXT4_ENCRYPT_FLAG))
|
||||||
|
+ {
|
||||||
|
+ err = grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "file is encrypted");
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
grub_memcpy (data->inode, &fdiro->inode, sizeof (struct grub_ext2_inode));
|
||||||
|
grub_free (fdiro);
|
||||||
|
|
||||||
|
diff --git a/tests/ext234_test.in b/tests/ext234_test.in
|
||||||
|
index 892b99c..4f1eb52 100644
|
||||||
|
--- a/tests/ext234_test.in
|
||||||
|
+++ b/tests/ext234_test.in
|
||||||
|
@@ -30,3 +30,4 @@ fi
|
||||||
|
"@builddir@/grub-fs-tester" ext3
|
||||||
|
"@builddir@/grub-fs-tester" ext4
|
||||||
|
"@builddir@/grub-fs-tester" ext4_metabg
|
||||||
|
+"@builddir@/grub-fs-tester" ext4_encrypt
|
||||||
|
diff --git a/tests/util/grub-fs-tester.in b/tests/util/grub-fs-tester.in
|
||||||
|
index 88cbe73..fd7e0f1 100644
|
||||||
|
--- a/tests/util/grub-fs-tester.in
|
||||||
|
+++ b/tests/util/grub-fs-tester.in
|
||||||
|
@@ -156,6 +156,12 @@ for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do
|
||||||
|
# Could go further but what's the point?
|
||||||
|
MAXBLKSIZE=$((65536*1024))
|
||||||
|
;;
|
||||||
|
+ xext4_encrypt)
|
||||||
|
+ # OS LIMITATION: Linux currently only allows the 'encrypt' feature
|
||||||
|
+ # in combination with block_size = PAGE_SIZE (4096 bytes on x86).
|
||||||
|
+ MINBLKSIZE=$(getconf PAGE_SIZE)
|
||||||
|
+ MAXBLKSIZE=$MINBLKSIZE
|
||||||
|
+ ;;
|
||||||
|
xext*)
|
||||||
|
MINBLKSIZE=1024
|
||||||
|
if [ $MINBLKSIZE -lt $SECSIZE ]; then
|
||||||
|
@@ -796,6 +802,10 @@ for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do
|
||||||
|
MKE2FS_DEVICE_SECTSIZE=$SECSIZE "mkfs.ext4" -O meta_bg,^resize_inode -b $BLKSIZE -L "$FSLABEL" -q "${MOUNTDEVICE}"
|
||||||
|
MOUNTFS=ext4
|
||||||
|
;;
|
||||||
|
+ xext4_encrypt)
|
||||||
|
+ MKE2FS_DEVICE_SECTSIZE=$SECSIZE "mkfs.ext4" -O encrypt -b $BLKSIZE -L "$FSLABEL" -q "${MOUNTDEVICE}"
|
||||||
|
+ MOUNTFS=ext4
|
||||||
|
+ ;;
|
||||||
|
xext*)
|
||||||
|
MKE2FS_DEVICE_SECTSIZE=$SECSIZE "mkfs.$fs" -b $BLKSIZE -L "$FSLABEL" -q "${MOUNTDEVICE}" ;;
|
||||||
|
xxfs)
|
||||||
|
--
|
||||||
|
cgit v1.0-41-gc330
|
||||||
|
|
8
PKGBUILD
8
PKGBUILD
@ -22,7 +22,7 @@ _UNIFONT_VER="9.0.06"
|
|||||||
pkgname="grub"
|
pkgname="grub"
|
||||||
pkgdesc="GNU GRand Unified Bootloader (2)"
|
pkgdesc="GNU GRand Unified Bootloader (2)"
|
||||||
pkgver=2.02
|
pkgver=2.02
|
||||||
pkgrel=1
|
pkgrel=2
|
||||||
epoch=2
|
epoch=2
|
||||||
url="https://www.gnu.org/software/grub/"
|
url="https://www.gnu.org/software/grub/"
|
||||||
arch=('x86_64' 'i686')
|
arch=('x86_64' 'i686')
|
||||||
@ -63,6 +63,7 @@ source=("https://ftp.gnu.org/gnu/${pkgname}/${pkgname}-${pkgver}.tar.xz"{,.sig}
|
|||||||
'0002-intel-ucode.patch'
|
'0002-intel-ucode.patch'
|
||||||
'0003-10_linux-detect-archlinux-initramfs.patch'
|
'0003-10_linux-detect-archlinux-initramfs.patch'
|
||||||
'0004-add-GRUB_COLOR_variables.patch'
|
'0004-add-GRUB_COLOR_variables.patch'
|
||||||
|
'0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch'
|
||||||
'grub.default'
|
'grub.default'
|
||||||
'grub.cfg')
|
'grub.cfg')
|
||||||
|
|
||||||
@ -74,6 +75,7 @@ sha256sums=('810b3798d316394f94096ec2797909dbf23c858e48f7b3830826b8daa06b7b0f'
|
|||||||
'37adb95049f6cdcbdbf60ed6b6440c5be99a4cd307a0f96c3c3837b6c2e07f3c'
|
'37adb95049f6cdcbdbf60ed6b6440c5be99a4cd307a0f96c3c3837b6c2e07f3c'
|
||||||
'b41e4438319136b5e74e0abdfcb64ae115393e4e15207490272c425f54026dd3'
|
'b41e4438319136b5e74e0abdfcb64ae115393e4e15207490272c425f54026dd3'
|
||||||
'a5198267ceb04dceb6d2ea7800281a42b3f91fd02da55d2cc9ea20d47273ca29'
|
'a5198267ceb04dceb6d2ea7800281a42b3f91fd02da55d2cc9ea20d47273ca29'
|
||||||
|
'535422c510a050d41efe7720dbe54de29e04bdb8f86fd5aea5feb0b24f7abe46'
|
||||||
'df764fbd876947dea973017f95371e53833bf878458140b09f0b70d900235676'
|
'df764fbd876947dea973017f95371e53833bf878458140b09f0b70d900235676'
|
||||||
'c5e4f3836130c6885e9273c21f057263eba53f4b7c0e2f111f6e5f2e487a47ad')
|
'c5e4f3836130c6885e9273c21f057263eba53f4b7c0e2f111f6e5f2e487a47ad')
|
||||||
|
|
||||||
@ -93,6 +95,10 @@ prepare() {
|
|||||||
patch -Np1 -i "${srcdir}/0004-add-GRUB_COLOR_variables.patch"
|
patch -Np1 -i "${srcdir}/0004-add-GRUB_COLOR_variables.patch"
|
||||||
echo
|
echo
|
||||||
|
|
||||||
|
msg "Patch to allow GRUB to mount ext2/3/4 filesystems that have the encryption feature"
|
||||||
|
patch -Np1 -i "${srcdir}/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch"
|
||||||
|
echo
|
||||||
|
|
||||||
msg "Fix DejaVuSans.ttf location so that grub-mkfont can create *.pf2 files for starfield theme"
|
msg "Fix DejaVuSans.ttf location so that grub-mkfont can create *.pf2 files for starfield theme"
|
||||||
sed 's|/usr/share/fonts/dejavu|/usr/share/fonts/dejavu /usr/share/fonts/TTF|g' -i "configure.ac"
|
sed 's|/usr/share/fonts/dejavu|/usr/share/fonts/dejavu /usr/share/fonts/TTF|g' -i "configure.ac"
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user