Change grub hdd numbering #3256
Conversation
|
I'm currently wating for test results. I already have a version where all formating/printfs are cleaned up just did not wanted to push it in case I still need it. But please look at this now and consider all possible consequences of this fix |
pkg/grub/Dockerfile
Outdated
| fi | ||
|
|
||
| WORKDIR /grub | ||
|
|
||
| RUN (./bootstrap --gnulib-srcdir=/gnulib || ./autogen.sh) |
There was a problem hiding this comment.
I think you don't need to spawn a sub shell in a single RUN command, in other words, you can remove those ()
| #include <grub/efi/efi.h> | ||
| #include <grub/efi/disk.h> | ||
|
|
||
| +#define DEBUG_NAMES 1 |
There was a problem hiding this comment.
I think you forgot to remove this enforcement (for debug purposes) or it was intentional? Also, this could not be replaced by some GRUB's debug mechanism, like grub_dprintf()?
There was a problem hiding this comment.
this is why it is marked WIP. I have fixed all these small issues with formating/extra printf but have not pushed. I'm waiting fo test results from CS
Do they have to be identical? Then I don't understand how we can deploy this fix. We don't have a robust way to update stage1. |
mikem-zed
force-pushed
the
mikem/grub-hdd-numbering
branch
from
3a669eb to
8cbd089
Compare
There was a problem hiding this comment.
I see a comment from @rene which hasn't been addressed/responded to.
From the description is it clear that we can do this in stage2 independently of what stage1 does?
With an old stage1 don't we still have an issue that some PCRs change whether or not a USB drive is connected due to measurements from stage1 grub?
when grub queries for available disks it doesn't take into account that the disk can be removable e.g. USB stick. The disk can appear in front of regular HDDs and the numbering will be different e.g. hd0 become hd1 when the USB stick is plugged in. It is not a problem for GRUB to find a correct partition in this case and the system can be booted just fine. However every command from grub.cfg is measured into PCR8 while being executed and HDD names appear in those commands e.g. 'set root=(hd2,gpt5)'. If any key is sealed into TPM using PCR8 then that key cannot be unsealed when a random USB stick is inserted (or removed if it was inserted when the key was sealed) the original issue should not affect PC BIOS case because USB devices are usually emulated as either CD or floppy drives and have their unique numbering Signed-off-by: Mikhail Malyshev <mikem@zededa.com>
When a cloned ./grub repository exists in the pkg/grub it is taken instead of tar file. autogen.sh must be run in this case and gawk util is required Signed-off-by: Mikhail Malyshev <mikem@zededa.com>
mikem-zed
force-pushed
the
mikem/grub-hdd-numbering
branch
from
8cbd089 to
79f3e5f
Compare
when grub queries for available disks it doesn't take into account that
the disk can be removable e.g. USB stick. The disk can appear in front of regular
HDDs and the numbering will be different e.g. hd0 become hd1 when the
USB stick is plugged in. It is not a problem for GRUB to find a correct
partition in this case and the system can be booted just fine. However
every command from grub.cfg is measured into PCR8 while being executed
and HDD names appear in those commands e.g. 'set root=(hd2,gpt5)'. If
any key is sealed into TPM using PCR8 then that key cannot be unsealed when a
random USB stick is inserted (or removed if it was inserted when the key
was sealed)
the original issue should not affect PC BIOS case because USB devices
are usually emulated as either CD or floppy drives and have their unique
numbering
Risk assessment:
so there is no ricks of bricking a device with this fix.