synchronize some patches

grub.patches

@@ -353,3 +353,6 @@ Patch0352: backport-0079-efi-tpm-Fix-typo-in-grub_efi_tpm2_protocol-struct.patch
 Patch0353: backport-0080-misc-Add-parentheses-around-ALIGN_UP-and-ALIGN_DOWN-.patch
 Patch0354: backport-0081-verifiers-Fix-calling-uninitialized-function-pointer.patch
 Patch0355: backport-templates-Fix-bad-test-on-GRUB_DISABLE_SUBMENU.patch
+Patch0356: grub2-set-password-prompts-to-enter-the-current-pass.patch
+Patch0357: support-TPM2.0.patch
+Patch0358: use-default-timestamp.patch

grub2-set-password-prompts-to-enter-the-current-pass.patch

@@ -0,0 +1,302 @@
+From 5099013778b2433a4dee3ae5e4826d8add1c1fb7 Mon Sep 17 00:00:00 2001
+From: liuxin <liuxin264@huawei.com>
+Date: Thu, 2 Sep 2021 17:30:39 +0800
+Subject: [PATCH] grub2-set-password prompts to enter the current password and
+ add the password complexity check
+
+---
+ util/grub-mkpasswd-pbkdf2.c |  95 +++++++++++++++++++++++++++++-
+ util/grub-set-password.in   | 114 ++++++++++++++++++++++++++++++++++++
+ 2 files changed, 207 insertions(+), 2 deletions(-)
+
+diff --git a/util/grub-mkpasswd-pbkdf2.c b/util/grub-mkpasswd-pbkdf2.c
+index 5805f3c..68c2032 100644
+--- a/util/grub-mkpasswd-pbkdf2.c
++++ b/util/grub-mkpasswd-pbkdf2.c
+@@ -42,10 +42,14 @@
+ 
+ #include "progname.h"
+ 
++#define GRUB_PARAM_ERROR 1
++#define GRUB_PARAM_SUCCESS 0
++
+ static struct argp_option options[] = {
+   {"iteration-count",  'c', N_("NUM"), 0, N_("Number of PBKDF2 iterations"), 0},
+   {"buflen",  'l', N_("NUM"), 0, N_("Length of generated hash"), 0},
+   {"salt",  's', N_("NUM"), 0, N_("Length of salt"), 0},
++  {"salt arg",  'a', N_("VARCHAR"), 0, N_("preset salt var(hex code)"), 0},
+   { 0, 0, 0, 0, 0, 0 }
+ };
+ 
+@@ -54,8 +58,45 @@ struct arguments
+   unsigned int count;
+   unsigned int buflen;
+   unsigned int saltlen;
++  char * salt;
+ };
+ 
++static int illegal_char(char t)
++{
++  int illegal = GRUB_PARAM_ERROR;
++  char legal[] = "0123456789ABCDEF";
++  for (int i = 0; i < grub_strlen(legal); ++i) {
++    if (t == legal[i]) {
++      illegal = GRUB_PARAM_SUCCESS;
++      break;
++    }
++  }
++  return illegal;
++}
++
++static int check_salt_verify(const char * arg)
++{
++  grub_size_t len = grub_strlen(arg);
++  if (len <= 0 || len >= GRUB_SIZE_MAX)
++  {
++    fprintf(stderr, "salt length may be empty or too long!\n");
++    return GRUB_PARAM_ERROR;
++  }
++  if (len % 2 != 0)
++  {
++    fprintf(stderr, "the salt value length is an even number!\n");
++    return GRUB_PARAM_ERROR;
++  }
++  for (int i = 0; i < len; ++i)
++  {
++    if (illegal_char(arg[i]))
++    {
++      return GRUB_PARAM_ERROR;
++    }
++  }
++  return GRUB_PARAM_SUCCESS;
++}
++
+ static error_t
+ argp_parser (int key, char *arg, struct argp_state *state)
+ {
+@@ -76,6 +117,16 @@ argp_parser (int key, char *arg, struct argp_state *state)
+     case 's':
+       arguments->saltlen = strtoul (arg, NULL, 0);
+       break;
++
++    case 'a':
++      if (check_salt_verify(arg))
++      {
++        fprintf(stderr, "only hexadecimal numbers consisting of digits and uppercase letters are supported\n");
++        return ARGP_ERR_UNKNOWN;
++      }
++      arguments->saltlen = grub_strlen(arg) / 2;
++      arguments->salt = arg;
++      break;
+     default:
+       return ARGP_ERR_UNKNOWN;
+     }
+@@ -110,13 +161,44 @@ hexify (char *hex, grub_uint8_t *bin, grub_size_t n)
+   *hex = 0;
+ }
+ 
++static void
++hextobyte(const char *hex, grub_uint8_t *bin, grub_size_t n)
++{
++    while(n)
++    {
++        grub_uint8_t tmp = 0x00;
++        if (((*hex) <= '9') && ((*hex) >= '0'))
++        {
++            tmp += (grub_uint8_t)((*hex) - '0') << 4 & 0xf0;
++        }
++        else
++        {
++            tmp += (grub_uint8_t)((*hex) - 'A' + 10) << 4 & 0xf0;
++        }
++        hex++;
++        if (((*hex) <= '9') && ((*hex) >= '0'))
++        {
++            tmp += (grub_uint8_t)((*hex) - '0') & 0x0f;
++        }
++        else
++        {
++            tmp += (grub_uint8_t)((*hex) - 'A' + 10) & 0x0f;
++        }
++        *bin = tmp;
++        bin++;
++        hex++;
++        n -= 2;
++    }
++}
++
+ int
+ main (int argc, char *argv[])
+ {
+   struct arguments arguments = {
+     .count = 10000,
+     .buflen = 64,
+-    .saltlen = 64
++    .saltlen = 64,
++    .salt = NULL
+   };
+   char *result, *ptr;
+   gcry_err_code_t gcry_err;
+@@ -133,6 +215,12 @@ main (int argc, char *argv[])
+       exit(1);
+     }
+ 
++  if (arguments.salt != NULL && grub_strlen(arguments.salt) != 2 * arguments.saltlen)
++  {
++    fprintf(stderr, "%s", _("If the -a parameter is set, don't set the -s parameter again\n"));
++    exit(1);
++  }
++
+   buf = xmalloc (arguments.buflen);
+   salt = xmalloc (arguments.saltlen);
+   
+@@ -161,7 +249,10 @@ main (int argc, char *argv[])
+     }
+   memset (pass2, 0, sizeof (pass2));
+ 
+-  if (grub_get_random (salt, arguments.saltlen))
++  if (arguments.salt != NULL)
++  {
++    hextobyte(arguments.salt, salt, arguments.saltlen * 2);
++  } else if (grub_get_random (salt, arguments.saltlen))
+     {
+       memset (pass1, 0, sizeof (pass1));
+       free (buf);
+diff --git a/util/grub-set-password.in b/util/grub-set-password.in
+index 487fbb1..3d0be26 100644
+--- a/util/grub-set-password.in
++++ b/util/grub-set-password.in
+@@ -87,16 +87,130 @@ fixtty() {
+ }
+ 
+ trap fixtty EXIT
++
++getsaltpass() {
++	local P0
++	local P1
++	P0="$1" && shift
++	P1="$1" && shift
++	P2="$1" && shift
++
++	( echo ${P0} ; echo ${P1} ) | \
++    	LC_ALL=C ${grub_mkpasswd} -a ${P2} | \
++    	grep -v '[eE]nter password:' | \
++    	sed -e "s/PBKDF2 hash of your password is //"
++}
++
++verifyusercfgoldpasswd() {
++    # get old password salt
++    expectsalt=`cat ${grubdir}/user.cfg | cut -d "." -f 5`
++    # get expect password
++    expectpass=`cat ${grubdir}/user.cfg`
++    prefix="GRUB2_PASSWORD="
++
++    stty -echo
++    echo -n "Enter Current password: "
++    read PASSWORD_CURRENT
++    echo
++
++    needcheckpass="${prefix}$(getsaltpass "${PASSWORD_CURRENT}" "${PASSWORD_CURRENT}" "${expectsalt}")"
++    if [ "$expectpass" != "$needcheckpass" ]; then
++        echo "Authentication failed"
++        exit 1
++    fi
++
++    stty ${ttyopt}
++}
++
++verifygrubcfgoldpasswd() {
++    # get old password line
++    expectpass=`cat ${grubdir}/grub.cfg | grep "password_pbkdf2 root grub.pbkdf2.sha512" | cut -d " " -f 3`
++    # if not get password, try a quotation mark match
++    if [ -z "$expectpass" ];then
++        expectpass=`cat ${grubdir}/grub.cfg | grep "password_pbkdf2 root \"grub.pbkdf2.sha512" | cut -d " " -f 3 | cut -d "\"" -f 2`
++    fi
++    if [ -z "$expectpass" ];then
++        expectpass=`cat ${grubdir}/grub.cfg | grep "password_pbkdf2 root 'grub.pbkdf2.sha512" | cut -d " " -f 3 | cut -d "'" -f 2`
++    fi
++    if [ -n "$expectpass" ];then
++        # get old password salt
++        expectsalt=`echo ${expectpass} | cut -d "." -f 5`
++        stty -echo
++        echo -n "Enter Current password: "
++        read PASSWORD_CURRENT
++        echo
++
++        needcheckpass="$(getsaltpass "${PASSWORD_CURRENT}" "${PASSWORD_CURRENT}" "${expectsalt}")"
++        if [ "$expectpass" != "$needcheckpass" ]; then
++            echo "Authentication failed"
++            exit 1
++        fi
++    fi
++
++}
++
++if [ -e ${grubdir}/user.cfg ];then
++    verifyusercfgoldpasswd
++else
++    verifygrubcfgoldpasswd
++fi
++
++checkcomplexity() {
++    set +e
++    USERNAME=`cat ${grubdir}/grub.cfg | grep "set superusers=" | cut -d "\"" -f 2 |tail -1`
++    local P1="$1" && shift
++    if [ "$P1" = "$USERNAME" ];then
++        echo "The password contains the user name in some form"
++        exit 1
++    fi
++    # password len >= 8
++    strlen=`echo "$P1" | grep -E '^(.{8,}).*$'`
++    if [ -z "$strlen" ];then
++        echo "The password is shorter than 8 characters"
++        exit 1
++    fi
++    # lowercase
++    strlow=`echo "$P1" | grep -E --color '^(.*[a-z]+).*$'`
++    # uppercase
++    strupp=`echo $P1 | grep -E --color '^(.*[A-Z]).*$'`
++    # special character
++    strts=`echo $P1 | grep -E --color '^(.*\W).*$'`
++    # num
++    strnum=`echo $P1 | grep -E --color '^(.*[0-9]).*$'`
++    complexity=0
++    if [ -n "$strlow" ];then
++        complexity=`expr $complexity + 1`
++    fi
++    if [ -n "$strupp" ];then
++        complexity=`expr $complexity + 1`
++    fi
++    if [ -n "$strts" ];then
++        complexity=`expr $complexity + 1`
++    fi
++    if [ -n "$strnum" ];then
++        complexity=`expr $complexity + 1`
++    fi
++    if [ $complexity -lt 3 ];then
++        echo "The password contains less than 3 character classes"
++        exit 1
++    fi
++    set -e
++}
++
+ stty -echo
+ 
+ # prompt & confirm new grub2 root user password
+ echo -n "Enter password: "
+ read PASSWORD
+ echo
++stty ${ttyopt}
++checkcomplexity $PASSWORD
++stty -echo
+ echo -n "Confirm password: "
+ read PASSWORD_CONFIRM
+ echo
+ stty ${ttyopt}
++checkcomplexity $PASSWORD_CONFIRM
+ 
+ getpass() {
+     local P0
+-- 
+2.23.0
+

grub2.spec

@@ -8,7 +8,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.04
-Release:	21
+Release:	22
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@@ -451,6 +451,14 @@ rm -r /boot/grub2.tmp/ || :
 %{_datadir}/man/man*
 
 %changelog
+* Fri Nov 26 2021 xihaochen<xihaochen@huawei.com> - 2.04-22
+- Type:bugfix
+- ID:NA
+- SUG:NA
+  DESC:grub2 set password prompts to enter the current pass
+       support TPM2.0
+       use default timestamp
+
 * Tue Nov 16 2021 fengtao <fengtao40@huawei.com> - 2.04-21
 - Type:bugfix
 - ID:NA

support-TPM2.0.patch

@@ -0,0 +1,96 @@
+From c4c243d19d77cab3591f0272c8e36619ccbbddf3 Mon Sep 17 00:00:00 2001
+From: gaoyusong <gaoyusong1@huawei.com>
+Date: Thu, 13 May 2021 18:34:23 +0800
+Subject: [PATCH] support TPM2.0
+
+---
+ grub-core/kern/verifiers.c | 25 +++++++++++++++++++------
+ grub-core/script/execute.c | 12 +++++++++++-
+ 2 files changed, 30 insertions(+), 7 deletions(-)
+
+diff --git a/grub-core/kern/verifiers.c b/grub-core/kern/verifiers.c
+index aa3dc7c..dfd73e5 100644
+--- a/grub-core/kern/verifiers.c
++++ b/grub-core/kern/verifiers.c
+@@ -84,9 +84,16 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
+   grub_file_t ret = 0;
+   grub_err_t err;
+   int defer = 0;
++  int grub_env_flag = 0;
++  char *ptr = NULL;
+ 
+   grub_dprintf ("verify", "file: %s type: %d\n", io->name, type);
+ 
++  ptr = grub_strstr(io->name, "grubenv");
++  if (ptr) {
++    grub_env_flag = 1;
++  }
++
+   if ((type & GRUB_FILE_TYPE_MASK) == GRUB_FILE_TYPE_SIGNATURE
+       || (type & GRUB_FILE_TYPE_MASK) == GRUB_FILE_TYPE_VERIFY_SIGNATURE
+       || (type & GRUB_FILE_TYPE_SKIP_SIGNATURE))
+@@ -148,6 +155,8 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
+   verified->buf = grub_malloc (ret->size);
+   if (!verified->buf)
+     {
++      grub_error (GRUB_ERR_OUT_OF_MEMORY,
++            "cannot allocate verified buffer, the %s is too large\n", io->name);
+       goto fail;
+     }
+   if (grub_file_read (io, verified->buf, ret->size) != (grub_ssize_t) ret->size)
+@@ -158,9 +167,11 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
+       goto fail;
+     }
+ 
+-  err = ver->write (context, verified->buf, ret->size);
+-  if (err)
+-    goto fail;
++  if (!grub_env_flag) {
++    err = ver->write (context, verified->buf, ret->size);
++    if (err)
++      goto fail;
++  }
+ 
+   err = ver->fini ? ver->fini (context) : GRUB_ERR_NONE;
+   if (err)
+@@ -179,9 +190,11 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
+ 	  /* Verification done earlier. So, we are happy here. */
+ 	  flags & GRUB_VERIFY_FLAGS_DEFER_AUTH)
+ 	continue;
+-      err = ver->write (context, verified->buf, ret->size);
+-      if (err)
+-	goto fail;
++      if (!grub_env_flag) {
++        err = ver->write (context, verified->buf, ret->size);
++        if (err)
++          goto fail;
++      }
+ 
+       err = ver->fini ? ver->fini (context) : GRUB_ERR_NONE;
+       if (err)
+diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
+index 0c6dd9c..3e761c4 100644
+--- a/grub-core/script/execute.c
++++ b/grub-core/script/execute.c
+@@ -1002,7 +1002,17 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd)
+ 			       argv.args[i]);
+     }
+   cmdstring[cmdlen - 1] = '\0';
+-  grub_verify_string (cmdstring, GRUB_VERIFY_COMMAND);
++
++  if (grub_strncmp(cmdstring, "[ 0 = 1 ]", 9) == 0) {
++    char res_str[] = "[  = 1 ]";
++    grub_verify_string (res_str, GRUB_VERIFY_COMMAND);
++  } else if (grub_strncmp(cmdstring, "[ 0 = 1 -o  = 1 ]", 17) == 0) {
++    char res_str[] = "[  = 1 -o  = 1 ]";
++    grub_verify_string (res_str, GRUB_VERIFY_COMMAND);
++  } else {
++    grub_verify_string (cmdstring, GRUB_VERIFY_COMMAND);
++  }
++
+   grub_free (cmdstring);
+   invert = 0;
+   argc = argv.argc - 1;
+-- 
+2.19.1
+

use-default-timestamp.patch

@@ -0,0 +1,57 @@
+From 8922ea771163655f1d5dc8da589a6291976ae489 Mon Sep 17 00:00:00 2001
+From: zhouyihang <zhouyihang3@huawei.com>
+Date: Thu, 10 Jun 2021 20:01:54 +0800
+Subject: [PATCH] huawei use default timestamp
+
+---
+ docs/grub-dev.texi | 4 ++--
+ docs/grub.texi     | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi
+index f488e82..355764a 100644
+--- a/docs/grub-dev.texi
++++ b/docs/grub-dev.texi
+@@ -18,7 +18,7 @@
+ 
+ @copying
+ This developer manual is for GNU GRUB (version @value{VERSION},
+-@value{UPDATED}).
++24 June 2019).
+ 
+ Copyright @copyright{} 1999,2000,2001,2002,2004,2005,2006,2008,2009,2010,2011 Free Software Foundation, Inc.
+ 
+@@ -40,7 +40,7 @@ Invariant Sections.
+ @titlepage
+ @sp 10
+ @title the GNU GRUB developer manual
+-@subtitle The GRand Unified Bootloader, version @value{VERSION}, @value{UPDATED}.
++@subtitle The GRand Unified Bootloader, version @value{VERSION}, 24 June 2019.
+ @author Yoshinori K. Okuji
+ @author Colin D Bennett
+ @author Vesa Jääskeläinen
+diff --git a/docs/grub.texi b/docs/grub.texi
+index 262388c..41c1a89 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -18,7 +18,7 @@
+ 
+ @copying
+ This manual is for GNU GRUB (version @value{VERSION},
+-@value{UPDATED}).
++24 June 2019).
+ 
+ Copyright @copyright{} 1999,2000,2001,2002,2004,2006,2008,2009,2010,2011,2012,2013 Free Software Foundation, Inc.
+ 
+@@ -48,7 +48,7 @@ Invariant Sections.
+ @titlepage
+ @sp 10
+ @title the GNU GRUB manual
+-@subtitle The GRand Unified Bootloader, version @value{VERSION}, @value{UPDATED}.
++@subtitle The GRand Unified Bootloader, version @value{VERSION}, 24 June 2019.
+ @author Gordon Matzigkeit
+ @author Yoshinori K. Okuji
+ @author Colin Watson
+-- 
+2.27.0
+