StarlingX

Bug #2034119
Comment #4

Comment 4 for bug 2034119

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-09-07: Fix merged to integ (master)

Reviewed: https://review.opendev.org/c/starlingx/integ/+/894003
Committed: https://opendev.org/starlingx/integ/commit/8e6824ec91dec186f9c4a761dc7c191a4e8191ef
Submitter: "Zuul (22348)"
Branch: master

commit 8e6824ec91dec186f9c4a761dc7c191a4e8191ef
Author: Li Zhou <email address hidden>
Date: Tue Sep 5 14:55:38 2023 +0800

grub2/grub-efi: fix CVE-2022-28736

We add patches to fix CVEs for grub instead of upgrading because
grub2/grub-efi is ported from yocto for secure boot bringing up.

    The patches for CVE-2022-28736 have conflicts with the patches for
    secure boot. So refer to below link to fix this CVE:
    (1) https://patchwork.yoctoproject.org/project/oe-core/patch/
    <email address hidden>/
    (2)https://github.com/jiazhang0/meta-secure-core/pull/257

    The special patches for grub-efi are from layers meta-lat and
    meta-secure-core of yocto upstream, which are based on the patches
    for grub-efi in oe-core layer (including CVE patches). We used to mix
    all the patches together. Now we will move the patches from meta-lat
    and meta-secure-core to the end of sequence for applying patches,
    so that we can keep align with yocto upstream and make it easier
    to maintain the grub here.
    Since there are many patches involved here, we don't change the number
    in patches' name in case confusion is caused if we rename many files.

    Below commits are added for the CVE:
    <loader/efi/chainloader: Simplify the loader state>
    <commands/boot: Add API to pass context to loader>
    <loader/efi/chainloader: Use grub_loader_set_ex()>

    Below patches for secure boot are adapted for conflicts with above:
    secure-core/0009 <efi: chainloader: port shim to grub>
    secure-core/0010 <efi: chainloader: use shim to load and verify an image>
    secure-core/0012 <efi: chainloader: take care of unload undershim>

All of them are aligned with upstream and no changes here.

    Test plan:
     - PASS: build grub2/grub-efi.
     - PASS: build-image and install and boot up on lab/qemu.
     - PASS: check that the "stx.N" version number is right for both
             bios(grub2 ver) and uefi(grub-efi ver) boot.
     - PASS: the tests are done on lab with secure boot disabled and
             enabled.

Closes-Bug: #2034119

Signed-off-by: Li Zhou <email address hidden>
Change-Id: I9a37cd8b804b238407f8ac6528f087a2eb0cf2de

Reviewed:  https://review.opendev.org/c/starlingx/integ/+/894003
Committed: https://opendev.org/starlingx/integ/commit/8e6824ec91dec186f9c4a761dc7c191a4e8191ef
Submitter: "Zuul (22348)"
Branch:    master

commit 8e6824ec91dec186f9c4a761dc7c191a4e8191ef
Author: Li Zhou <li.zhou@windriver.com>
Date:   Tue Sep 5 14:55:38 2023 +0800

grub2/grub-efi: fix CVE-2022-28736
    
    We add patches to fix CVEs for grub instead of upgrading because
    grub2/grub-efi is ported from yocto for secure boot bringing up.
    
    The patches for CVE-2022-28736 have conflicts with the patches for
    secure boot. So refer to below link to fix this CVE:
    (1) https://patchwork.yoctoproject.org/project/oe-core/patch/
    20221207034254.58292-1-xiangyu.chen@eng.windriver.com/
    (2)https://github.com/jiazhang0/meta-secure-core/pull/257
    
    The special patches for grub-efi are from layers meta-lat and
    meta-secure-core of yocto upstream, which are based on the patches
    for grub-efi in oe-core layer (including CVE patches). We used to mix
    all the patches together. Now we will move the patches from meta-lat
    and meta-secure-core to the end of sequence for applying patches,
    so that we can keep align with yocto upstream and make it easier
    to maintain the grub here.
    Since there are many patches involved here, we don't change the number
    in patches' name in case confusion is caused if we rename many files.
    
    Below commits are added for the CVE:
    <loader/efi/chainloader: Simplify the loader state>
    <commands/boot: Add API to pass context to loader>
    <loader/efi/chainloader: Use grub_loader_set_ex()>
    
    Below patches for secure boot are adapted for conflicts with above:
    secure-core/0009 <efi: chainloader: port shim to grub>
    secure-core/0010 <efi: chainloader: use shim to load and verify an image>
    secure-core/0012 <efi: chainloader: take care of unload undershim>
    
    All of them are aligned with upstream and no changes here.
    
    Test plan:
     - PASS: build grub2/grub-efi.
     - PASS: build-image and install and boot up on lab/qemu.
     - PASS: check that the "stx.N" version number is right for both
             bios(grub2 ver) and uefi(grub-efi ver) boot.
     - PASS: the tests are done on lab with secure boot disabled and
             enabled.
    
    Closes-Bug: #2034119
    
    Signed-off-by: Li Zhou <li.zhou@windriver.com>
    Change-Id: I9a37cd8b804b238407f8ac6528f087a2eb0cf2de