From d7549b995a0185f3f5e42f90a77789c99c32ac3e Mon Sep 17 00:00:00 2001 From: hanliyang Date: Thu, 2 Jan 2025 09:36:13 +0000 Subject: [PATCH] [Feature]Hygon: Support use confidential computing provisioned secrets for disk decryption to #bug13129 The code of this functionality is cherry-picked from https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00257.html. project: Signed-off-by: hanliyang --- ...the-password-getter-and-additional-a.patch | 173 ++++++++++++++ ...odisk-add-OS-provided-secret-support.patch | 206 +++++++++++++++++ ...retrieving-the-EFI-secret-for-crypto.patch | 217 ++++++++++++++++++ grub.patches | 3 + grub2.spec | 5 +- 5 files changed, 603 insertions(+), 1 deletion(-) create mode 100644 1003-cryptodisk-make-the-password-getter-and-additional-a.patch create mode 100644 1004-cryptodisk-add-OS-provided-secret-support.patch create mode 100644 1005-efi-Add-API-for-retrieving-the-EFI-secret-for-crypto.patch diff --git a/1003-cryptodisk-make-the-password-getter-and-additional-a.patch b/1003-cryptodisk-make-the-password-getter-and-additional-a.patch new file mode 100644 index 0000000..bf6e451 --- /dev/null +++ b/1003-cryptodisk-make-the-password-getter-and-additional-a.patch @@ -0,0 +1,173 @@ +From 6503036b4adfcb078dc33b23a61969d914f7449b Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Thu, 31 Dec 2020 09:36:16 -0800 +Subject: [PATCH 1/3] cryptodisk: make the password getter and additional + argument to recover_key + +cherry-picked from https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00258.html. + +For AMD SEV environments, the grub boot password has to be retrieved +from a given memory location rather than prompted for. This means +that the standard password getter needs to be replaced with one that +gets the passphrase from the SEV area and uses that instead. Adding +the password getter as a passed in argument to recover_key() makes +this possible. + +Signed-off-by: James Bottomley +--- + grub-core/disk/cryptodisk.c | 2 +- + grub-core/disk/geli.c | 12 +++++++----- + grub-core/disk/luks.c | 12 +++++++----- + grub-core/lib/crypto.c | 4 ++++ + grub-core/osdep/unix/password.c | 4 ++++ + grub-core/osdep/windows/password.c | 4 ++++ + include/grub/cryptodisk.h | 6 +++++- + 7 files changed, 32 insertions(+), 12 deletions(-) + +diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c +index 78a9025..133d36d 100644 +--- a/grub-core/disk/cryptodisk.c ++++ b/grub-core/disk/cryptodisk.c +@@ -839,7 +839,7 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source) + if (!dev) + continue; + +- err = cr->recover_key (source, dev); ++ err = cr->recover_key (source, dev, grub_password_get); + if (err) + { + cryptodisk_close (dev); +diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c +index e9d2329..ed43047 100644 +--- a/grub-core/disk/geli.c ++++ b/grub-core/disk/geli.c +@@ -398,7 +398,8 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + } + + static grub_err_t +-recover_key (grub_disk_t source, grub_cryptodisk_t dev) ++recover_key (grub_disk_t source, grub_cryptodisk_t dev, ++ grub_passwd_cb *password_get) + { + grub_size_t keysize; + grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN]; +@@ -438,11 +439,12 @@ recover_key (grub_disk_t source, grub_cryptodisk_t dev) + tmp = NULL; + if (source->partition) + tmp = grub_partition_get_name (source->partition); +- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, +- source->partition ? "," : "", tmp ? : "", +- dev->uuid); ++ if (password_get (NULL, 0)) ++ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, ++ source->partition ? "," : "", tmp ? : "", ++ dev->uuid); + grub_free (tmp); +- if (!grub_password_get (passphrase, MAX_PASSPHRASE)) ++ if (!password_get (passphrase, MAX_PASSPHRASE)) + return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); + + /* Calculate the PBKDF2 of the user supplied passphrase. */ +diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c +index 18b3a8b..037d20d 100644 +--- a/grub-core/disk/luks.c ++++ b/grub-core/disk/luks.c +@@ -309,7 +309,8 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + + static grub_err_t + luks_recover_key (grub_disk_t source, +- grub_cryptodisk_t dev) ++ grub_cryptodisk_t dev, ++ grub_passwd_cb *password_get) + { + struct grub_luks_phdr header; + grub_size_t keysize; +@@ -344,11 +345,12 @@ luks_recover_key (grub_disk_t source, + tmp = NULL; + if (source->partition) + tmp = grub_partition_get_name (source->partition); +- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, +- source->partition ? "," : "", tmp ? : "", +- dev->uuid); ++ if (password_get (NULL, 0)) ++ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, ++ source->partition ? "," : "", tmp ? : "", ++ dev->uuid); + grub_free (tmp); +- if (!grub_password_get (passphrase, MAX_PASSPHRASE)) ++ if (!password_get (passphrase, MAX_PASSPHRASE)) + { + grub_free (split_key); + return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); +diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c +index ff62fa3..07c4400 100644 +--- a/grub-core/lib/crypto.c ++++ b/grub-core/lib/crypto.c +@@ -460,6 +460,10 @@ grub_password_get (char buf[], unsigned buf_size) + unsigned cur_len = 0; + int key; + ++ if (!buf) ++ /* want prompt */ ++ return 1; ++ + while (1) + { + key = grub_getkey (); +diff --git a/grub-core/osdep/unix/password.c b/grub-core/osdep/unix/password.c +index 9996b24..365ac4b 100644 +--- a/grub-core/osdep/unix/password.c ++++ b/grub-core/osdep/unix/password.c +@@ -34,6 +34,10 @@ grub_password_get (char buf[], unsigned buf_size) + int tty_changed = 0; + char *ptr; + ++ if (!buf) ++ /* want prompt */ ++ return 1; ++ + grub_refresh (); + + /* Disable echoing. Based on glibc. */ +diff --git a/grub-core/osdep/windows/password.c b/grub-core/osdep/windows/password.c +index 1d3af0c..2a66156 100644 +--- a/grub-core/osdep/windows/password.c ++++ b/grub-core/osdep/windows/password.c +@@ -33,6 +33,10 @@ grub_password_get (char buf[], unsigned buf_size) + DWORD mode = 0; + char *ptr; + ++ if (!buf) ++ /* want prompt */ ++ return 1; ++ + grub_refresh (); + + GetConsoleMode (hStdin, &mode); +diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h +index 32f564a..33c86ad 100644 +--- a/include/grub/cryptodisk.h ++++ b/include/grub/cryptodisk.h +@@ -101,6 +101,9 @@ struct grub_cryptodisk + }; + typedef struct grub_cryptodisk *grub_cryptodisk_t; + ++/* must match prototype for grub_password_get */ ++typedef int (grub_passwd_cb)(char buf[], unsigned buf_size); ++ + struct grub_cryptodisk_dev + { + struct grub_cryptodisk_dev *next; +@@ -108,7 +111,8 @@ struct grub_cryptodisk_dev + + grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid, + int boot_only); +- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev); ++ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, ++ grub_passwd_cb *get_passwd); + }; + typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t; + +-- +2.43.5 + diff --git a/1004-cryptodisk-add-OS-provided-secret-support.patch b/1004-cryptodisk-add-OS-provided-secret-support.patch new file mode 100644 index 0000000..958a745 --- /dev/null +++ b/1004-cryptodisk-add-OS-provided-secret-support.patch @@ -0,0 +1,206 @@ +From a6d7988415f1ff7e3977b7e15aacaf1e7f854aac Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Thu, 31 Dec 2020 09:36:17 -0800 +Subject: [PATCH 2/3] cryptodisk: add OS provided secret support + +cherry-picked from https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00259.html. + +Make use of the new OS provided secrets API so that if the new '-s' +option is passed in we try to extract the secret from the API rather +than prompting for it. + +The primary consumer of this is AMD SEV, which has been programmed to +provide an injectable secret to the encrypted virtual machine. OVMF +provides the secret area and passes it into the EFI Configuration +Tables. The grub EFI layer pulls the secret out and primes the +secrets API with it. The upshot of all of this is that a SEV +protected VM can do an encrypted boot with a protected boot secret. + +Signed-off-by: James Bottomley +--- + grub-core/disk/cryptodisk.c | 77 +++++++++++++++++++++++++++++++++++-- + include/grub/cryptodisk.h | 14 +++++++ + 2 files changed, 87 insertions(+), 4 deletions(-) + +diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c +index 133d36d..d2b1617 100644 +--- a/grub-core/disk/cryptodisk.c ++++ b/grub-core/disk/cryptodisk.c +@@ -41,6 +41,7 @@ static const struct grub_arg_option options[] = + /* TRANSLATORS: It's still restricted to cryptodisks only. */ + {"all", 'a', 0, N_("Mount all."), 0, 0}, + {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0}, ++ {"secret", 's', 0, N_("Get secret passphrase from named module and optional identifier"), 0, 0}, + {0, 0, 0, 0, 0, 0} + }; + +@@ -809,6 +810,10 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk) + + static int check_boot, have_it; + static char *search_uuid; ++static char *os_passwd; ++ ++/* variable to hold the list of secret providers */ ++static struct grub_secret_entry *secret_providers; + + static void + cryptodisk_close (grub_cryptodisk_t dev) +@@ -819,6 +824,21 @@ cryptodisk_close (grub_cryptodisk_t dev) + grub_free (dev); + } + ++static int ++os_password_get(char buf[], unsigned len) ++{ ++ if (!buf) ++ /* we're not interactive so no prompt */ ++ return 0; ++ ++ /* os_passwd should be null terminated, so just copy everything */ ++ grub_strncpy(buf, os_passwd, len); ++ /* and add a terminator just in case */ ++ buf[len - 1] = 0; ++ ++ return 1; ++} ++ + static grub_err_t + grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source) + { +@@ -838,8 +858,17 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source) + return grub_errno; + if (!dev) + continue; +- +- err = cr->recover_key (source, dev, grub_password_get); ++ ++ if (os_passwd) ++ { ++ err = cr->recover_key (source, dev, os_password_get); ++ if (err) ++ /* if the key doesn't work ignore the access denied error */ ++ grub_error_pop(); ++ } ++ else ++ err = cr->recover_key (source, dev, grub_password_get); ++ + if (err) + { + cryptodisk_close (dev); +@@ -855,6 +884,18 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source) + return GRUB_ERR_NONE; + } + ++void ++grub_cryptodisk_add_secret_provider (struct grub_secret_entry *e) ++{ ++ grub_list_push(GRUB_AS_LIST_P (&secret_providers), GRUB_AS_LIST (e)); ++} ++ ++void ++grub_cryptodisk_remove_secret_provider (struct grub_secret_entry *e) ++{ ++ grub_list_remove (GRUB_AS_LIST (e)); ++} ++ + #ifdef GRUB_UTIL + #include + grub_err_t +@@ -931,7 +972,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) + { + struct grub_arg_list *state = ctxt->state; + +- if (argc < 1 && !state[1].set && !state[2].set) ++ if (argc < 1 && !state[1].set && !state[2].set && !state[3].set) + return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required"); + + have_it = 0; +@@ -949,6 +990,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) + + check_boot = state[2].set; + search_uuid = args[0]; ++ os_passwd = NULL; + grub_device_iterate (&grub_cryptodisk_scan_device, NULL); + search_uuid = NULL; + +@@ -959,11 +1001,37 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) + else if (state[1].set || (argc == 0 && state[2].set)) + { + search_uuid = NULL; ++ os_passwd = NULL; + check_boot = state[2].set; + grub_device_iterate (&grub_cryptodisk_scan_device, NULL); + search_uuid = NULL; + return GRUB_ERR_NONE; + } ++ else if (state[3].set) ++ { ++ struct grub_secret_entry *se; ++ grub_err_t rc; ++ ++ if (argc < 1) ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "secret module must be specified"); ++#ifndef GRUB_UTIL ++ grub_dl_load (args[0]); ++#endif ++ se = grub_named_list_find (GRUB_AS_NAMED_LIST (secret_providers), args[0]); ++ if (se == NULL) ++ return grub_error (GRUB_ERR_INVALID_COMMAND, "No secret provider is found"); ++ ++ rc = se->get (args[1], &os_passwd); ++ if (rc) ++ return rc; ++ ++ search_uuid = NULL; ++ grub_device_iterate (&grub_cryptodisk_scan_device, NULL); ++ rc = se->put (args[1], have_it, &os_passwd); ++ os_passwd = NULL; ++ ++ return rc; ++ } + else + { + grub_err_t err; +@@ -974,6 +1042,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) + grub_size_t len; + + search_uuid = NULL; ++ os_passwd = NULL; + check_boot = state[2].set; + diskname = args[0]; + len = grub_strlen (diskname); +@@ -1141,7 +1210,7 @@ GRUB_MOD_INIT (cryptodisk) + { + grub_disk_dev_register (&grub_cryptodisk_dev); + cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0, +- N_("SOURCE|-u UUID|-a|-b"), ++ N_("SOURCE|-u UUID|-a|-b|-s MOD [ID]"), + N_("Mount a crypto device."), options); + grub_procfs_register ("luks_script", &luks_script); + } +diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h +index 33c86ad..6a93c56 100644 +--- a/include/grub/cryptodisk.h ++++ b/include/grub/cryptodisk.h +@@ -160,4 +160,18 @@ grub_util_get_geli_uuid (const char *dev); + grub_cryptodisk_t grub_cryptodisk_get_by_uuid (const char *uuid); + grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk); + ++struct grub_secret_entry { ++ /* as named list */ ++ struct grub_secret_entry *next; ++ struct grub_secret_entry **prev; ++ const char *name; ++ ++ /* additional entries */ ++ grub_err_t (*get)(const char *arg, char **secret); ++ grub_err_t (*put)(const char *arg, int have_it, char **secret); ++}; ++ ++void grub_cryptodisk_add_secret_provider (struct grub_secret_entry *e); ++void grub_cryptodisk_remove_secret_provider (struct grub_secret_entry *e); ++ + #endif +-- +2.43.5 + diff --git a/1005-efi-Add-API-for-retrieving-the-EFI-secret-for-crypto.patch b/1005-efi-Add-API-for-retrieving-the-EFI-secret-for-crypto.patch new file mode 100644 index 0000000..cf51219 --- /dev/null +++ b/1005-efi-Add-API-for-retrieving-the-EFI-secret-for-crypto.patch @@ -0,0 +1,217 @@ +From 9711568e6dce36a6245fada1509e9477c0268e30 Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Thu, 31 Dec 2020 09:36:18 -0800 +Subject: [PATCH 3/3] efi: Add API for retrieving the EFI secret for cryptodisk + +cherry-picked from https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00260.html. + +This module is designed to provide an efisecret command which +interrogates the EFI configuration table to find the location of the +confidential computing secret and tries to register the secret with +the cryptodisk. + +The secret is stored in a boot allocated area, usually a page in size. +The layout of the secret injection area is a header + +|GRUB_EFI_SECRET_TABLE_HEADER_GUID|len| + +with entries of the form + +|guid|len|data| + +the guid corresponding to the disk encryption passphrase is +GRUB_EFI_DISKPASSWD_GUID and data must be a zero terminated string. +To get a high entropy string that doesn't need large numbers of +iterations, use a base64 encoding of 33 bytes of random data. + +Signed-off-by: James Bottomley +--- + grub-core/Makefile.core.def | 8 ++ + grub-core/disk/efi/efisecret.c | 129 +++++++++++++++++++++++++++++++++ + include/grub/efi/api.h | 15 ++++ + 3 files changed, 152 insertions(+) + create mode 100644 grub-core/disk/efi/efisecret.c + +diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def +index 0963e88..aded014 100644 +--- a/grub-core/Makefile.core.def ++++ b/grub-core/Makefile.core.def +@@ -774,6 +774,14 @@ module = { + enable = efi; + }; + ++module = { ++ name = efisecret; ++ ++ common = disk/efi/efisecret.c; ++ ++ enable = efi; ++}; ++ + module = { + name = lsefimmap; + +diff --git a/grub-core/disk/efi/efisecret.c b/grub-core/disk/efi/efisecret.c +new file mode 100644 +index 0000000..745eede +--- /dev/null ++++ b/grub-core/disk/efi/efisecret.c +@@ -0,0 +1,129 @@ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++GRUB_MOD_LICENSE ("GPLv3+"); ++ ++static grub_efi_packed_guid_t secret_guid = GRUB_EFI_SECRET_TABLE_GUID; ++static grub_efi_packed_guid_t tableheader_guid = GRUB_EFI_SECRET_TABLE_HEADER_GUID; ++static grub_efi_packed_guid_t diskpasswd_guid = GRUB_EFI_DISKPASSWD_GUID; ++ ++/* ++ * EFI places the secret in the lower 4GB, so it uses a UINT32 ++ * for the pointer which we have to transform to the correct type ++ */ ++struct efi_secret { ++ grub_uint64_t base; ++ grub_uint64_t size; ++}; ++ ++struct secret_header { ++ grub_efi_packed_guid_t guid; ++ grub_uint32_t len; ++}; ++ ++struct secret_entry { ++ grub_efi_packed_guid_t guid; ++ grub_uint32_t len; ++ char data[0]; ++}; ++ ++static grub_err_t ++grub_efi_secret_put (const char *arg __attribute__((unused)), int have_it, ++ char **ptr) ++{ ++ struct secret_entry *e = (struct secret_entry *)(*ptr - (long)&((struct secret_entry *)0)->data); ++ ++ /* destroy the secret */ ++ grub_memset (e, 0, e->len); ++ *ptr = NULL; ++ ++ if (have_it) ++ return GRUB_ERR_NONE; ++ ++ return grub_error (GRUB_ERR_ACCESS_DENIED, "EFI secret failed to unlock any volumes"); ++} ++ ++static grub_err_t ++grub_efi_secret_find (struct efi_secret *s, char **secret_ptr) ++{ ++ int len; ++ struct secret_header *h; ++ struct secret_entry *e; ++ unsigned char *ptr = (unsigned char *)(unsigned long)s->base; ++ ++ /* the area must be big enough for a guid and a u32 length */ ++ if (s->size < sizeof (*h)) ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "EFI secret area is too small"); ++ ++ h = (struct secret_header *)ptr; ++ if (grub_memcmp(&h->guid, &tableheader_guid, sizeof (h->guid))) ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "EFI secret area does not start with correct guid\n"); ++ if (h->len < sizeof (*h)) ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "EFI secret area is too small\n"); ++ ++ len = h->len - sizeof (*h); ++ ptr += sizeof (*h); ++ ++ while (len >= (int)sizeof (*e)) { ++ e = (struct secret_entry *)ptr; ++ if (e->len < sizeof(*e) || e->len > (unsigned int)len) ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "EFI secret area is corrupt\n"); ++ ++ if (! grub_memcmp (&e->guid, &diskpasswd_guid, sizeof (e->guid))) { ++ int end = e->len - sizeof(*e); ++ ++ /* ++ * the passphrase must be a zero terminated string because the ++ * password routines call grub_strlen () to find its size ++ */ ++ if (e->data[end - 1] != '\0') ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "EFI secret area disk encryption password is not zero terminated\n"); ++ ++ *secret_ptr = e->data; ++ return GRUB_ERR_NONE; ++ } ++ ptr += e->len; ++ len -= e->len; ++ } ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "EFI secret aread does not contain disk decryption password\n"); ++} ++ ++static grub_err_t ++grub_efi_secret_get (const char *arg __attribute__((unused)), char **ptr) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < grub_efi_system_table->num_table_entries; i++) ++ { ++ grub_efi_packed_guid_t *guid = ++ &grub_efi_system_table->configuration_table[i].vendor_guid; ++ ++ if (! grub_memcmp (guid, &secret_guid, sizeof (grub_efi_packed_guid_t))) { ++ struct efi_secret *s = ++ grub_efi_system_table->configuration_table[i].vendor_table; ++ ++ return grub_efi_secret_find(s, ptr); ++ } ++ } ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "No secret found in the EFI configuration table"); ++} ++ ++static struct grub_secret_entry secret = { ++ .name = "efisecret", ++ .get = grub_efi_secret_get, ++ .put = grub_efi_secret_put, ++}; ++ ++GRUB_MOD_INIT(efisecret) ++{ ++ grub_cryptodisk_add_secret_provider (&secret); ++} ++ ++GRUB_MOD_FINI(efisecret) ++{ ++ grub_cryptodisk_remove_secret_provider (&secret); ++} +diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h +index a57187f..d5c805d 100644 +--- a/include/grub/efi/api.h ++++ b/include/grub/efi/api.h +@@ -299,6 +299,21 @@ + { 0x9a, 0x16, 0x00, 0x90, 0x27, 0x3f, 0xc1, 0x4d } \ + } + ++#define GRUB_EFI_SECRET_TABLE_GUID \ ++ { 0xadf956ad, 0xe98c, 0x484c, \ ++ { 0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47} \ ++ } ++ ++#define GRUB_EFI_SECRET_TABLE_HEADER_GUID \ ++ { 0x1e74f542, 0x71dd, 0x4d66, \ ++ { 0x96, 0x3e, 0xef, 0x42, 0x87, 0xff, 0x17, 0x3b } \ ++ } ++ ++#define GRUB_EFI_DISKPASSWD_GUID \ ++ { 0x736869e5, 0x84f0, 0x4973, \ ++ { 0x92, 0xec, 0x06, 0x87, 0x9c, 0xe3, 0xda, 0x0b } \ ++ } ++ + #define GRUB_EFI_ACPI_TABLE_GUID \ + { 0xeb9d2d30, 0x2d88, 0x11d3, \ + { 0x9a, 0x16, 0x0, 0x90, 0x27, 0x3f, 0xc1, 0x4d } \ +-- +2.43.5 + diff --git a/grub.patches b/grub.patches index 124c51f..b33f419 100644 --- a/grub.patches +++ b/grub.patches @@ -593,3 +593,6 @@ Patch0591: 0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch #Patch1000: 1000-loongarch64-add-support.patch Patch1001: 1001-bls-make-list.patch Patch1002: 1002-Add-LoongArch64-support-and-update-interface-to-v40.patch +Patch1003: 1003-cryptodisk-make-the-password-getter-and-additional-a.patch +Patch1004: 1004-cryptodisk-add-OS-provided-secret-support.patch +Patch1005: 1005-efi-Add-API-for-retrieving-the-EFI-secret-for-crypto.patch diff --git a/grub2.spec b/grub2.spec index 5fca491..0269b4f 100644 --- a/grub2.spec +++ b/grub2.spec @@ -1,4 +1,4 @@ -%define anolis_release .0.1 +%define anolis_release .0.2 %undefine _hardened_build %global tarversion 2.02 @@ -536,6 +536,9 @@ fi %endif %changelog +* Thu Jan 02 2025 hanliyang - 2.02-160.0.2 +- Support use confidential computing provisioned secrets for disk decryption + * Tue Dec 24 2024 Bo Ren - 2.02-160.0.1 - Build pc-modules package on x86_64 (geliwei@openanolis.org) - Add loongarch64 base support (zhangwenlong@loongson.cn)(chenguoqi@loongson.cn) -- Gitee