diff -Nru grub2-unsigned-2.12/debian/build-efi-images grub2-unsigned-2.12/debian/build-efi-images --- grub2-unsigned-2.12/debian/build-efi-images 2024-02-26 10:40:26.000000000 +0000 +++ grub2-unsigned-2.12/debian/build-efi-images 2024-04-04 10:11:57.000000000 +0000 @@ -33,6 +33,12 @@ sbat_csv="$7" efi_vendor="${8:-$(dpkg-vendor --query vendor | tr '[:upper:]' '[:lower:]')}" +# make sure downstreams didn't mess up sbat.csv +if ! grep -q ^grub.peimage $sbat_csv; then + echo Missing sbat entry for "grub.peimage" >&2 + exit 1 +fi + # mkfs.msdos may not be on the default PATH. export PATH="$PATH:/sbin:/usr/sbin" diff -Nru grub2-unsigned-2.12/debian/changelog grub2-unsigned-2.12/debian/changelog --- grub2-unsigned-2.12/debian/changelog 2024-03-08 17:02:05.000000000 +0000 +++ grub2-unsigned-2.12/debian/changelog 2024-04-04 10:12:35.000000000 +0000 @@ -1,13 +1,28 @@ -grub2-unsigned (2.12-1ubuntu5) noble; urgency=medium +grub2-unsigned (2.12-1ubuntu7) noble; urgency=medium * d/p/grub-sort-version.patch: Also patch grub-mkconfig to export GRUB_FLAVOUR_ORDER * d/grub-sort-version: Update regex to correctly match kernel flavour * d/grub-sort-version: Append `-0` to abi strings before passing to python-apt (Fixes LP: #2041827) * debian/: Add tests for grub-sort-version - * Revert peimage to re-use GRUB's image handle - * SBAT bump to "grub.peimage,2" (LP: #2054127) + * Revert peimage to re-use GRUB's image handle (LP: #2057679) (LP: #2054127) + * Increase SBAT level to "grub.ubuntu,2" and "grub.peimage,2" + * d/build-efi-images: Make sure downstream didn't remove peimage SBAT entry + * SECURITY UPDATE: Use-after-free in peimage module [LP: #2054127] + - CVE-2024-2312 - -- Mate Kukri Fri, 08 Mar 2024 17:02:05 +0000 + -- Mate Kukri Thu, 04 Apr 2024 11:12:35 +0100 + +grub2 (2.12-1ubuntu6) noble; urgency=medium + + * No-change rebuild for CVE-2024-3094 + + -- Steve Langasek Sun, 31 Mar 2024 08:54:41 +0000 + +grub2 (2.12-1ubuntu5) noble; urgency=medium + + * No-change rebuild for libefivar1t64 on riscv64. + + -- Steve Langasek Thu, 07 Mar 2024 09:18:17 +0000 grub2 (2.12-1ubuntu4) noble; urgency=medium diff -Nru grub2-unsigned-2.12/debian/control grub2-unsigned-2.12/debian/control --- grub2-unsigned-2.12/debian/control 2024-03-08 17:02:05.000000000 +0000 +++ grub2-unsigned-2.12/debian/control 2024-04-04 10:12:35.000000000 +0000 @@ -7,6 +7,7 @@ Build-Depends: debhelper-compat (= 13), patchutils, python3, + python3-apt, python3-pytest, flex, bison, diff -Nru grub2-unsigned-2.12/debian/patches/secure-boot/efi-use-peimage-shim.patch grub2-unsigned-2.12/debian/patches/secure-boot/efi-use-peimage-shim.patch --- grub2-unsigned-2.12/debian/patches/secure-boot/efi-use-peimage-shim.patch 2024-03-08 16:58:17.000000000 +0000 +++ grub2-unsigned-2.12/debian/patches/secure-boot/efi-use-peimage-shim.patch 2024-04-04 10:11:57.000000000 +0000 @@ -30,9 +30,9 @@ Signed-off-by: Julian Andres Klode --- grub-core/Makefile.core.def | 12 + - grub-core/loader/efi/peimage.c | 809 +++++++++++++++++++++++++++++++++++++++++ + grub-core/loader/efi/peimage.c | 824 +++++++++++++++++++++++++++++++++++++++++ include/grub/efi/peimage.h | 19 + - 3 files changed, 840 insertions(+) + 3 files changed, 855 insertions(+) create mode 100644 grub-core/loader/efi/peimage.c create mode 100644 include/grub/efi/peimage.h @@ -61,10 +61,10 @@ efi = loader/efi/fdt.c; diff --git a/grub-core/loader/efi/peimage.c b/grub-core/loader/efi/peimage.c new file mode 100644 -index 0000000..d811325 +index 0000000..d3a5e31 --- /dev/null +++ b/grub-core/loader/efi/peimage.c -@@ -0,0 +1,809 @@ +@@ -0,0 +1,824 @@ +/* peimage.c - load EFI PE binaries (for Secure Boot support) */ + +// SPDX-License-Identifier: GPL-3.0+ @@ -100,7 +100,8 @@ + void *alloc_addr; + grub_uint32_t alloc_pages; + void *image_addr; -+ grub_efi_entry_point __grub_efi_api entry_point; ++ grub_efi_status_t (__grub_efi_api *entry_point) ( ++ grub_efi_handle_t image_handle, grub_efi_system_table_t *system_table); +}; + +static struct @@ -109,15 +110,16 @@ + grub_efi_handle_t image_handle; + grub_efi_status_t exit_status; + grub_efi_status_t (__grub_efi_api *exit) (grub_efi_handle_t image_handle, -+ grub_efi_status_t exit_status, -+ grub_efi_uintn_t exit_data_size, -+ grub_efi_char16_t *exit_data); ++ grub_efi_status_t exit_status, ++ grub_efi_uintn_t exit_data_size, ++ grub_efi_char16_t *exit_data); +} started_image; + ++ +static grub_uint16_t machines[] = { +#if defined(__x86_64__) + GRUB_PE32_MACHINE_X86_64, -+#elif defined(__i386__) || defined(__i486__) || defined(__i686__) ++#elif defined(__i386__) + GRUB_PE32_MACHINE_I386, +#elif defined(__aarch64__) + GRUB_PE32_MACHINE_ARM64, @@ -133,8 +135,8 @@ +/** + * check_machine_type() - check if the machine type matches the architecture + * -+ * @machine: the value of the Machine field of the COFF file header. -+ * Return: status code ++ * @machine: the value of the Machine field of the COFF file header. ++ * Return: status code + */ +static grub_efi_status_t +check_machine_type (grub_uint16_t machine) @@ -142,7 +144,7 @@ + for (grub_size_t i = 0; i < sizeof (machines) / sizeof (*machines); ++i) + { + if (machine == machines[i]) -+ return GRUB_EFI_SUCCESS; ++ return GRUB_EFI_SUCCESS; + } + + return GRUB_EFI_LOAD_ERROR; @@ -151,49 +153,51 @@ +/** + * check_pe_header() - check the headers of a PE-COFF image + * -+ * @info: information about the image ++ * @info: information about the image + */ +static grub_efi_status_t +check_pe_header (struct image_info *info) +{ -+ struct grub_dos_stub *dos_stub = info->data; ++ struct grub_msdos_image_header *dos_stub = info->data; + void *pe_magic; + struct grub_pe32_coff_header *coff_header; + struct grub_pe32_optional_header *pe32_header; + struct grub_pe64_optional_header *pe64_header; + -+ if (info->data_size < sizeof (struct grub_dos_stub)) ++ if (info->data_size < sizeof (struct grub_msdos_image_header)) + { + grub_error (GRUB_ERR_BAD_OS, "truncated image"); + return GRUB_EFI_LOAD_ERROR; + } -+ if (dos_stub->magic != GRUB_PE32_MAGIC) ++ if (dos_stub->msdos_magic != GRUB_PE32_MAGIC) + { + grub_error (GRUB_ERR_BAD_OS, "not a PE-COFF file"); + return GRUB_EFI_UNSUPPORTED; + } -+ if (info->data_size < dos_stub->pe_addr + sizeof (GRUB_PE_MAGIC) -+ + sizeof (struct grub_pe32_coff_header) -+ + sizeof (struct grub_pe64_optional_header)) ++ if (info->data_size < dos_stub->pe_image_header_offset ++ + GRUB_PE32_SIGNATURE_SIZE ++ + sizeof (struct grub_pe32_coff_header) ++ + sizeof (struct grub_pe64_optional_header)) + { + grub_error (GRUB_ERR_BAD_OS, "truncated image"); + return GRUB_EFI_LOAD_ERROR; + } -+ pe_magic = (void *)((unsigned long)info->data + dos_stub->pe_addr); -+ if (grub_memcmp (pe_magic, GRUB_PE_MAGIC, sizeof (GRUB_PE_MAGIC))) ++ pe_magic ++ = (void *)((unsigned long)info->data + dos_stub->pe_image_header_offset); ++ if (grub_memcmp (pe_magic, GRUB_PE32_SIGNATURE, GRUB_PE32_SIGNATURE_SIZE)) + { + grub_error (GRUB_ERR_BAD_OS, "not a PE-COFF file"); + return GRUB_EFI_LOAD_ERROR; + } + -+ coff_header = (void *)((unsigned long)pe_magic + sizeof (GRUB_PE_MAGIC)); ++ coff_header = (void *)((unsigned long)pe_magic + GRUB_PE32_SIGNATURE_SIZE); + info->machine = coff_header->machine; + info->num_sections = coff_header->num_sections; + + if (check_machine_type (info->machine) != GRUB_EFI_SUCCESS) + { + grub_error (GRUB_ERR_BAD_OS, "wrong machine type %u", -+ coff_header->machine); ++ coff_header->machine); + return GRUB_EFI_LOAD_ERROR; + } + @@ -203,46 +207,56 @@ + switch (pe32_header->magic) + { + case GRUB_PE32_PE32_MAGIC: ++ if (pe32_header->subsystem != GRUB_PE32_SUBSYSTEM_EFI_APPLICATION) ++ { ++ grub_error (GRUB_ERR_BAD_OS, "expected EFI application"); ++ return GRUB_EFI_LOAD_ERROR; ++ } + info->section_alignment = pe32_header->section_alignment; + info->image_base = pe32_header->image_base; + info->image_size = pe32_header->image_size; + info->entry_point = (void *)(unsigned long)pe32_header->entry_addr; + info->header_size = pe32_header->header_size; + if (info->data_size < info->header_size) -+ { -+ grub_error (GRUB_ERR_BAD_OS, "truncated image"); -+ return GRUB_EFI_LOAD_ERROR; -+ } ++ { ++ grub_error (GRUB_ERR_BAD_OS, "truncated image"); ++ return GRUB_EFI_LOAD_ERROR; ++ } + + if (pe32_header->num_data_directories >= 6 -+ && pe32_header->base_relocation_table.size) -+ info->reloc = &pe32_header->base_relocation_table; ++ && pe32_header->base_relocation_table.size) ++ info->reloc = &pe32_header->base_relocation_table; + + info->section -+ = (void *)((unsigned long)&pe32_header->export_table -+ + pe32_header->num_data_directories -+ * sizeof (struct grub_pe32_data_directory)); ++ = (void *)((unsigned long)&pe32_header->export_table ++ + pe32_header->num_data_directories ++ * sizeof (struct grub_pe32_data_directory)); + break; + case GRUB_PE32_PE64_MAGIC: ++ if (pe64_header->subsystem != GRUB_PE32_SUBSYSTEM_EFI_APPLICATION) ++ { ++ grub_error (GRUB_ERR_BAD_OS, "expected EFI application"); ++ return GRUB_EFI_LOAD_ERROR; ++ } + info->section_alignment = pe64_header->section_alignment; + info->image_base = pe64_header->image_base; + info->image_size = pe64_header->image_size; + info->entry_point = (void *)(unsigned long)pe64_header->entry_addr; + info->header_size = pe64_header->header_size; + if (info->data_size < info->header_size) -+ { -+ grub_error (GRUB_ERR_BAD_OS, "truncated image"); -+ return GRUB_EFI_LOAD_ERROR; -+ } ++ { ++ grub_error (GRUB_ERR_BAD_OS, "truncated image"); ++ return GRUB_EFI_LOAD_ERROR; ++ } + + if (pe64_header->num_data_directories >= 6 -+ && pe64_header->base_relocation_table.size) -+ info->reloc = &pe64_header->base_relocation_table; ++ && pe64_header->base_relocation_table.size) ++ info->reloc = &pe64_header->base_relocation_table; + + info->section -+ = (void *)((unsigned long)&pe64_header->export_table -+ + pe64_header->num_data_directories -+ * sizeof (struct grub_pe32_data_directory)); ++ = (void *)((unsigned long)&pe64_header->export_table ++ + pe64_header->num_data_directories ++ * sizeof (struct grub_pe32_data_directory)); + break; + default: + grub_error (GRUB_ERR_BAD_OS, "not a PE-COFF file"); @@ -250,7 +264,7 @@ + } + + if ((unsigned long)info->section -+ + info->num_sections * sizeof (*info->section) ++ + info->num_sections * sizeof (*info->section) + > (unsigned long)info->data + info->data_size) + { + grub_error (GRUB_ERR_BAD_OS, "truncated image"); @@ -267,7 +281,7 @@ + * + * Allocate fresh memory and copy the image sections there. + * -+ * @info: image information ++ * @info: image information + */ +static grub_efi_status_t +load_sections (struct image_info *info) @@ -285,8 +299,7 @@ + if (info->section_alignment > align_mask) + align_mask = info->section_alignment - 1; + -+ info->alloc_pages -+ = GRUB_EFI_BYTES_TO_PAGES (info->image_size + (align_mask & ~0xfffUL)); ++ info->alloc_pages = GRUB_EFI_BYTES_TO_PAGES (info->image_size + (align_mask & ~0xfffUL)); + + info->alloc_addr = grub_efi_allocate_pages_real ( + GRUB_EFI_MAX_USABLE_ADDRESS, info->alloc_pages, @@ -302,33 +315,33 @@ + section < &info->section[info->num_sections]; ++section) + { + if (section->virtual_address < info->header_size -+ || section->raw_data_offset < info->header_size) -+ { -+ grub_error (GRUB_ERR_BAD_OS, "section inside header"); -+ return GRUB_EFI_LOAD_ERROR; -+ } ++ || (section->raw_data_size ++ && section->raw_data_offset < info->header_size)) ++ { ++ grub_error (GRUB_ERR_BAD_OS, "section inside header"); ++ return GRUB_EFI_LOAD_ERROR; ++ } + if (section->raw_data_offset + section->raw_data_size > info->data_size) -+ { -+ grub_error (GRUB_ERR_BAD_OS, "truncated image"); -+ return GRUB_EFI_LOAD_ERROR; -+ } ++ { ++ grub_error (GRUB_ERR_BAD_OS, "truncated image"); ++ return GRUB_EFI_LOAD_ERROR; ++ } + if (section->virtual_address + section->virtual_size > info->image_size) -+ { -+ grub_error (GRUB_ERR_BAD_OS, "section outside image"); -+ return GRUB_EFI_LOAD_ERROR; -+ } ++ { ++ grub_error (GRUB_ERR_BAD_OS, "section outside image"); ++ return GRUB_EFI_LOAD_ERROR; ++ } + -+ grub_memset ( -+ (void *)((unsigned long)info->image_addr + section->virtual_address), -+ 0, section->virtual_size); ++ grub_memset ((void *)((unsigned long)info->image_addr + section->virtual_address), ++ 0, section->virtual_size); + grub_memcpy ( -+ (void *)((unsigned long)info->image_addr + section->virtual_address), -+ (void *)((unsigned long)info->data + section->raw_data_offset), -+ section->raw_data_size); ++ (void *)((unsigned long)info->image_addr + section->virtual_address), ++ (void *)((unsigned long)info->data + section->raw_data_offset), ++ section->raw_data_size); + } + + info->entry_point = (void *)((unsigned long)info->entry_point -+ + (unsigned long)info->image_addr); ++ + (unsigned long)info->image_addr); + + grub_dprintf ("linux", "sections loaded\n"); + @@ -346,8 +359,8 @@ + * | imm[11:0] | rs1 |fun3 | rd | opcode | + * +-----------------------+---------+-----+---------+-------------+ + * -+ * @instr: pointer to instruction -+ * Return: immediate value ++ * @instr: pointer to instruction ++ * Return: immediate value + */ +static grub_uint16_t +lo12i_get (grub_uint32_t *instr) @@ -366,8 +379,8 @@ + * | imm[11:0] | rs1 |fun3 | rd | opcode | + * +-----------------------+---------+-----+---------+-------------+ + * -+ * @instr: pointer to instruction -+ * @imm: immediate value ++ * @instr: pointer to instruction ++ * @imm: immediate value + */ +static void +lo12i_set (grub_uint32_t *instr, grub_uint32_t imm) @@ -386,8 +399,8 @@ + * | imm[31:12] | rd | opcode | + * +---------------------------------------+---------+-------------+ + * -+ * @instr: pointer to instruction -+ * Return: immediate value ++ * @instr: pointer to instruction ++ * Return: immediate value + */ +static grub_uint16_t +hi20_get (grub_uint32_t *instr) @@ -406,8 +419,8 @@ + * | imm[31:12] | rd | opcode | + * +---------------------------------------+---------+-------------+ + * -+ * @instr: pointer to instruction -+ * @imm: immediate value ++ * @instr: pointer to instruction ++ * @imm: immediate value + */ +static void +hi20_set (grub_uint32_t *instr, grub_uint32_t imm) @@ -426,8 +439,8 @@ + * | imm[11:5] | rs2 | rs1 |fun3 |imm[4:0] | opcode | + * +-------------+---------+---------+-----+----+----+-------------+ + * -+ * @instr: pointer to instruction -+ * Return: immediate value ++ * @instr: pointer to instruction ++ * Return: immediate value + */ +static grub_uint16_t +lo12s_get (grub_uint32_t *instr) @@ -446,14 +459,14 @@ + * | imm[11:5] | rs2 | rs1 |fun3 |imm[4:0] | opcode | + * +-------------+---------+---------+-----+----+----+-------------+ + * -+ * @instr: pointer to instruction -+ * @imm: immediate value ++ * @instr: pointer to instruction ++ * @imm: immediate value + */ +static void +lo12s_set (grub_uint32_t *instr, grub_uint32_t imm) +{ + *instr = (*instr & 0x01fff07f) | (imm & 0x00000fe0 << 20) -+ | (imm & 0x0000001f << 7); ++ | (imm & 0x0000001f << 7); +} + +/** @@ -475,15 +488,15 @@ + * |1 1 1 1 0|i|1 0 0 1 0 0| imm4 |0| imm3| Rd | imm8 | + * +---------+-+-----------+-------+-+-----+-------+---------------+ + * -+ * @instr: pointer to instruction -+ * Return: immediate value ++ * @instr: pointer to instruction ++ * Return: immediate value + */ +static grub_uint16_t +movw_get_imm (grub_uint16_t *instr) +{ + /* imm16 = imm4:i:imm3:imm8; */ + return (instr[1] & 0x00ff) | ((instr[1] & 0x7000) >> 3) -+ | ((instr[0] & 0x0400) >> 8) | ((instr[0] & 0x000f) << 12); ++ | ((instr[0] & 0x0400) >> 8) | ((instr[0] & 0x000f) << 12); +} + +/** @@ -505,8 +518,8 @@ + * |1 1 1 1 0|i|1 0 0 1 0 0| imm4 |0| imm3| Rd | imm8 | + * +---------+-+-----------+-------+-+-----+-------+---------------+ + * -+ * @instr: pointer to instruction -+ * @imm immediate value ++ * @instr: pointer to instruction ++ * @imm immediate value + */ +static void +movw_set_imm (grub_uint16_t *instr, grub_uint16_t imm) @@ -519,7 +532,7 @@ +/** + * relocate() - apply relocations to the image + * -+ * @info: information about the loaded image ++ * @info: information about the loaded image + */ +static grub_efi_status_t +relocate (struct image_info *info) @@ -556,103 +569,103 @@ + { + reloc_entry = block->entries; + grub_uint16_t *block_end -+ = (void *)((unsigned long)block + block->block_size); ++ = (void *)((unsigned long)block + block->block_size); + + for (; reloc_entry < block_end; ++reloc_entry) -+ { -+ void *addr = (void *)((unsigned long)info->image_addr -+ + block->page_rva + (*reloc_entry & 0xfff)); -+ -+ reloc_type = *reloc_entry >> 12; -+ -+ switch (reloc_type) -+ { -+ case GRUB_PE32_REL_BASED_ABSOLUTE: -+ /* skip */ -+ break; -+ case GRUB_PE32_REL_BASED_HIGH: -+ *(grub_uint16_t *)addr += offset >> 16; -+ break; -+ case GRUB_PE32_REL_BASED_LOW: -+ *(grub_uint16_t *)addr += offset; -+ break; -+ case GRUB_PE32_REL_BASED_HIGHLOW: -+ *(grub_uint32_t *)addr += offset; -+ break; -+ case GRUB_PE32_REL_BASED_RISCV_HI20: -+ switch (info->machine) -+ { -+ case GRUB_PE32_MACHINE_RISCV32: -+ case GRUB_PE32_MACHINE_RISCV64: -+ rvhi20_addr = addr; -+ break; -+ default: -+ goto bad_reloc; -+ } -+ break; -+ case GRUB_PE32_REL_BASED_ARM_MOV32T: -+ /* = GRUB_PE32_REL_BASED_RISCV_LOW12I */ -+ switch (info->machine) -+ { -+ case GRUB_PE32_MACHINE_ARMTHUMB_MIXED: -+ { -+ grub_uint16_t *instr = addr; -+ grub_uint32_t val; -+ -+ val = movw_get_imm (&instr[0]) -+ + (movw_get_imm (&instr[2]) << 16) + offset; -+ movw_set_imm (&instr[0], val); -+ movw_set_imm (&instr[2], val >> 16); -+ break; -+ } -+ case GRUB_PE32_MACHINE_RISCV32: -+ case GRUB_PE32_MACHINE_RISCV64: -+ if (rvhi20_addr) -+ { -+ grub_uint32_t val -+ = hi20_get (rvhi20_addr) + lo12i_get (addr) + offset; -+ hi20_set (rvhi20_addr, val); -+ lo12i_set (addr, val); -+ rvhi20_addr = NULL; -+ } -+ else -+ { -+ goto bad_reloc; -+ } -+ break; -+ default: -+ goto bad_reloc; -+ } -+ break; -+ case GRUB_PE32_REL_BASED_RISCV_LOW12S: -+ switch (info->machine) -+ { -+ case GRUB_PE32_MACHINE_RISCV32: -+ case GRUB_PE32_MACHINE_RISCV64: -+ if (rvhi20_addr) -+ { -+ grub_uint32_t val -+ = hi20_get (rvhi20_addr) + lo12s_get (addr) + offset; -+ hi20_set (rvhi20_addr, val); -+ lo12s_set (addr, val); -+ rvhi20_addr = NULL; -+ } -+ else -+ { -+ goto bad_reloc; -+ } -+ break; -+ default: -+ goto bad_reloc; -+ } -+ break; -+ case GRUB_PE32_REL_BASED_DIR64: -+ *(grub_uint64_t *)addr += offset; -+ break; -+ default: -+ goto bad_reloc; -+ } -+ } ++ { ++ void *addr = (void *)((unsigned long)info->image_addr ++ + block->page_rva + (*reloc_entry & 0xfff)); ++ ++ reloc_type = *reloc_entry >> 12; ++ ++ switch (reloc_type) ++ { ++ case GRUB_PE32_REL_BASED_ABSOLUTE: ++ /* skip */ ++ break; ++ case GRUB_PE32_REL_BASED_HIGH: ++ *(grub_uint16_t *)addr += offset >> 16; ++ break; ++ case GRUB_PE32_REL_BASED_LOW: ++ *(grub_uint16_t *)addr += offset; ++ break; ++ case GRUB_PE32_REL_BASED_HIGHLOW: ++ *(grub_uint32_t *)addr += offset; ++ break; ++ case GRUB_PE32_REL_BASED_RISCV_HI20: ++ switch (info->machine) ++ { ++ case GRUB_PE32_MACHINE_RISCV32: ++ case GRUB_PE32_MACHINE_RISCV64: ++ rvhi20_addr = addr; ++ break; ++ default: ++ goto bad_reloc; ++ } ++ break; ++ case GRUB_PE32_REL_BASED_ARM_MOV32T: ++ /* = GRUB_PE32_REL_BASED_RISCV_LOW12I */ ++ switch (info->machine) ++ { ++ case GRUB_PE32_MACHINE_ARMTHUMB_MIXED: ++ { ++ grub_uint16_t *instr = addr; ++ grub_uint32_t val; ++ ++ val = movw_get_imm (&instr[0]) ++ + (movw_get_imm (&instr[2]) << 16) + offset; ++ movw_set_imm (&instr[0], val); ++ movw_set_imm (&instr[2], val >> 16); ++ break; ++ } ++ case GRUB_PE32_MACHINE_RISCV32: ++ case GRUB_PE32_MACHINE_RISCV64: ++ if (rvhi20_addr) ++ { ++ grub_uint32_t val ++ = hi20_get (rvhi20_addr) + lo12i_get (addr) + offset; ++ hi20_set (rvhi20_addr, val); ++ lo12i_set (addr, val); ++ rvhi20_addr = NULL; ++ } ++ else ++ { ++ goto bad_reloc; ++ } ++ break; ++ default: ++ goto bad_reloc; ++ } ++ break; ++ case GRUB_PE32_REL_BASED_RISCV_LOW12S: ++ switch (info->machine) ++ { ++ case GRUB_PE32_MACHINE_RISCV32: ++ case GRUB_PE32_MACHINE_RISCV64: ++ if (rvhi20_addr) ++ { ++ grub_uint32_t val ++ = hi20_get (rvhi20_addr) + lo12s_get (addr) + offset; ++ hi20_set (rvhi20_addr, val); ++ lo12s_set (addr, val); ++ rvhi20_addr = NULL; ++ } ++ else ++ { ++ goto bad_reloc; ++ } ++ break; ++ default: ++ goto bad_reloc; ++ } ++ break; ++ case GRUB_PE32_REL_BASED_DIR64: ++ *(grub_uint64_t *)addr += offset; ++ break; ++ default: ++ goto bad_reloc; ++ } ++ } + } + + grub_dprintf ("linux", "image relocated\n"); @@ -661,8 +674,8 @@ + +bad_reloc: + grub_error (GRUB_ERR_BAD_OS, "unsupported relocation type %d, rva 0x%08lx\n", -+ *reloc_entry >> 12, -+ (unsigned long)reloc_entry - (unsigned long)info->image_addr); ++ *reloc_entry >> 12, ++ (unsigned long)reloc_entry - (unsigned long)info->image_addr); + return GRUB_EFI_LOAD_ERROR; +} + @@ -680,7 +693,7 @@ + */ +static grub_efi_status_t __grub_efi_api +efi_exit (grub_efi_handle_t image_handle, grub_efi_status_t exit_status, -+ grub_efi_uintn_t exit_data_size, grub_efi_char16_t *exit_data) ++ grub_efi_uintn_t exit_data_size, grub_efi_char16_t *exit_data) +{ + grub_efi_system_table->boot_services->exit = started_image.exit; + @@ -691,7 +704,7 @@ + { + grub_dprintf ("linux", "delegating Exit()\n"); + return started_image.exit (image_handle, exit_status, exit_data_size, -+ (grub_efi_char16_t *)exit_data); ++ (grub_efi_char16_t *)exit_data); + } + + started_image.exit_status = exit_status; @@ -699,14 +712,14 @@ + if (exit_status != GRUB_EFI_SUCCESS) + { + grub_printf ("Application failed, r = %d\n", -+ (int)exit_status & 0x7fffffff); ++ (int)exit_status & 0x7fffffff); + if (exit_data_size && exit_data) + { -+ grub_printf ("exit message: "); -+ for (grub_efi_uintn_t pos = 0; -+ exit_data[pos] && pos < exit_data_size / 2; ++pos) -+ grub_printf ("%C", exit_data[pos]); -+ grub_printf ("\n"); ++ grub_printf ("exit message: "); ++ for (grub_efi_uintn_t pos = 0; ++ exit_data[pos] && pos < exit_data_size / 2; ++pos) ++ grub_printf ("%C", exit_data[pos]); ++ grub_printf ("\n"); + } + } + if (exit_data_size && exit_data) @@ -717,6 +730,9 @@ + grub_longjmp (started_image.jmp, 1); +} + ++static grub_efi_status_t __grub_efi_api ++do_unload_image (grub_efi_handle_t image_handle); ++ +/** + * start_image() - our implementation of StartImage() + * @@ -748,7 +764,7 @@ + while (loaded_image->file_path && + (loaded_image->file_path->type != GRUB_EFI_MEDIA_DEVICE_PATH_TYPE + || loaded_image->file_path->subtype != GRUB_EFI_FILE_PATH_DEVICE_PATH_SUBTYPE)) -+ loaded_image->file_path = GRUB_EFI_NEXT_DEVICE_PATH (file_path); ++ loaded_image->file_path = GRUB_EFI_NEXT_DEVICE_PATH (loaded_image->file_path); + } + else + { @@ -758,8 +774,8 @@ + ret = grub_setjmp (started_image.jmp); + if (ret) + { ++ do_unload_image(started_image.image_handle); + started_image.image_handle = NULL; -+ + return started_image.exit_status; + } + @@ -775,8 +791,7 @@ + /* Invalidate the instruction cache */ + grub_arch_sync_caches (info->image_addr, info->image_size); + -+ status -+ = info->entry_point (started_image.image_handle, grub_efi_system_table); ++ status = info->entry_point (started_image.image_handle, grub_efi_system_table); + + grub_dprintf ("linux", "Application returned\n"); + @@ -786,7 +801,7 @@ +static struct image_info info; + +/* TODO: move the creation of the load options here */ -+static grub_efi_status_t ++static grub_efi_status_t __grub_efi_api +do_load_image (grub_efi_boolean_t boot_policy __attribute__ ((unused)), + grub_efi_handle_t parent_image_handle __attribute__ ((unused)), + grub_efi_device_path_t *file_path, @@ -826,10 +841,10 @@ + return ret; +} + -+static grub_efi_status_t ++static grub_efi_status_t __grub_efi_api +do_start_image (grub_efi_handle_t image_handle __attribute__ ((unused)), -+ grub_efi_uintn_t *exit_data_size __attribute__ ((unused)), -+ grub_efi_char16_t **exit_data __attribute__ ((unused))) ++ grub_efi_uintn_t *exit_data_size __attribute__ ((unused)), ++ grub_efi_char16_t **exit_data __attribute__ ((unused))) +{ + if (info.data == NULL) + { @@ -839,7 +854,7 @@ + return start_image (&info); +} + -+static grub_efi_status_t ++static grub_efi_status_t __grub_efi_api +do_unload_image (grub_efi_handle_t image_handle __attribute__ ((unused))) +{ + if (info.data == NULL) diff -Nru grub2-unsigned-2.12/debian/sbat.ubuntu.csv.in grub2-unsigned-2.12/debian/sbat.ubuntu.csv.in --- grub2-unsigned-2.12/debian/sbat.ubuntu.csv.in 2024-03-08 16:59:09.000000000 +0000 +++ grub2-unsigned-2.12/debian/sbat.ubuntu.csv.in 2024-04-04 10:11:57.000000000 +0000 @@ -1,4 +1,4 @@ sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md grub,4,Free Software Foundation,grub,@UPSTREAM_VERSION@,https://www.gnu.org/software/grub/ -grub.ubuntu,1,Ubuntu,grub2,@DEB_VERSION@,https://www.ubuntu.com/ +grub.ubuntu,2,Ubuntu,grub2,@DEB_VERSION@,https://www.ubuntu.com/ grub.peimage,2,Canonical,grub2,@DEB_VERSION@,https://salsa.debian.org/grub-team/grub/-/blob/master/debian/patches/secure-boot/efi-use-peimage-shim.patch