NTFS is disabled with secure boot enabled anyway now, and these patches
caused a regression both for grub during boot and grub_mount in
userspace.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
to allow revoking earlier versions that haven't fixed the various lockdown/SB
escape vulnerabilities published in February 2025
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
this backports upstream commits fixing slew of CVEs:
ea703528a8581a2ea7e0bad424a70fdf0aec7d8f~..4dc6166571645780c459dde2cdc1b001a5ec844c
, adapting context or dropping inapplciable patches as needed for 2.06. changes
noted on individual patches.
commit ef7850c757fb3dd2462a512cfa0ff19c89fcc0b1 is cherry-picked additionally
as pre-requisite.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
When building the ISO we use grub-mkrescue to setup the outer GRUB on
the ISO that's used to boot the actual installer, but mkrescue sadly
has no native support to copy over the signed shim, so add that but
only enable it through an environment variable so that we do not have
to vet this overly closely as it won't affect any normal grub use
anyway, even less so as mkrescue is used rather rarely on running
systems.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
bump grub upstream SBAT for the pulled in CVE fixes
add grub.debian entry since we mostly re-use Debian's implementation, any
Debian-specific issue almost certainly would affect ours too
keep grub.proxmox at 1 - no signatures have been created yet using the
production keys, so there is no binary in existence that would need to be
revoked.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Add debconf logic for GRUB_DISABLE_OS_PROBER to make it easier to
control things here. Particularly useful for the installer.
Closes: #1031594, #1012865.
SBAT version is 3 (as opposed to Debian's 4) since we haven't shipped a version
3 Grub that doesn't have the version 3 fixes..
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
- disk/cryptodisk: When cheatmounting, use the sector info of the cheat
device
- osdep/devmapper/getroot: Have devmapper recognize LUKS2
- osdep/devmapper/getroot: Set up cheated LUKS2 cryptodisk mount from DM
parameters
I've mostly retired from GRUB maintenance since early 2022, so I think
it would be better if I weren't listed as an uploader in bookworm.
Thanks to Steve and Julian for picking up the torch!
