instead of running pwd all the time, run it once in lib.sh,
and export PWD.
for cbmk-specific use of PWD, use xbmkpwd, which contains
the value of PWD as was set by the pwd utility in lib.sh.
many parts of cbmk rely on pwd, and it *must* be correct.
this change adds basic error handling, since pwd can in
fact return errors in some cases.
Signed-off-by: Leah Rowe <leah@libreboot.org>
PWD could be anything, if the user manually exported
it before running cbmk.
always run pwd instead, to get the real string.
Signed-off-by: Leah Rowe <leah@libreboot.org>
I was importing a patch for the z790 boards, but
Libreboot doesn't support this board yet, and the
patch was a hack that may affect other boards.
When I do later merge that board, and I find that the
hack is needed, I'll simply make another grub tree
within lbmk.
Signed-off-by: Leah Rowe <leah@libreboot.org>
You can find information about these patches here:
https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html
GRUB has been on a crusade as of late, to proactively audit
and fix many security vulnerabilities. This lbmk change brings
in a comprehensive series of patches that fix bugs ranging from
possible buffer overflows, use-after frees, null derefs and so on.
These changes are critical, so a revision release *will* be issued,
for the Libreboot 20241206 release series.
This change imports the following 73 patches which
are present on the upstream GRUB repository (commit IDs
matched to upstream):
* 4dc616657 loader/i386/bsd: Use safe math to avoid underflow
* 490a6ab71 loader/i386/linux: Cast left shift to grub_uint32_t
* a8d6b0633 kern/misc: Add sanity check after grub_strtoul() call
* 8e6e87e79 kern/partition: Add sanity check after grub_strtoul() call
* 5b36a5210 normal/menu: Use safe math to avoid an integer overflow
* 9907d9c27 bus/usb/ehci: Define GRUB_EHCI_TOGGLE as grub_uint32_t
* f8795cde2 misc: Ensure consistent overflow error messages
* 66733f7c7 osdep/unix/getroot: Fix potential underflow
* d13b6e8eb script/execute: Fix potential underflow and NULL dereference
* e3c578a56 fs/sfs: Check if allocated memory is NULL
* 1c06ec900 net: Check if returned pointer for allocated memory is NULL
* dee2c14fd net: Prevent overflows when allocating memory for arrays
* 4beeff8a3 net: Use safe math macros to prevent overflows
* dd6a4c8d1 fs/zfs: Add missing NULL check after grub_strdup() call
* 13065f69d fs/zfs: Check if returned pointer for allocated memory is NULL
* 7f38e32c7 fs/zfs: Prevent overflows when allocating memory for arrays
* 88e491a0f fs/zfs: Use safe math macros to prevent overflows
* cde9f7f33 fs: Prevent overflows when assigning returned values from read_number()
* 84bc0a9a6 fs: Prevent overflows when allocating memory for arrays
* 6608163b0 fs: Use safe math macros to prevent overflows
* fbaddcca5 disk/ieee1275/ofdisk: Call grub_ieee1275_close() when grub_malloc() fails
* 33bd6b5ac disk: Check if returned pointer for allocated memory is NULL
* d8151f983 disk: Prevent overflows when allocating memory for arrays
* c407724da disk: Use safe math macros to prevent overflows
* c4bc55da2 fs: Disable many filesystems under lockdown
* 26db66050 fs/bfs: Disable under lockdown
* 5f31164ae commands/hexdump: Disable memory reading in lockdown mode
* 340e4d058 commands/memrw: Disable memory reading in lockdown mode
* 34824806a commands/minicmd: Block the dump command in lockdown mode
* c68b7d236 commands/test: Stack overflow due to unlimited recursion depth
* dad8f5029 commands/read: Fix an integer overflow when supplying more than 2^31 characters
* b970a5ed9 gettext: Integer overflow leads to heap OOB write
* 09bd6eb58 gettext: Integer overflow leads to heap OOB write or read
* 7580addfc gettext: Remove variables hooks on module unload
* 9c1619773 normal: Remove variables hooks on module unload
* 2123c5bca commands/pgp: Unregister the "check_signatures" hooks on module unload
* 0bf56bce4 commands/ls: Fix NULL dereference
* 05be856a8 commands/extcmd: Missing check for failed allocation
* 98ad84328 kern/dl: Check for the SHF_INFO_LINK flag in grub_dl_relocate_symbols()
* d72208423 kern/dl: Use correct segment in grub_dl_set_mem_attrs()
* 500e5fdd8 kern/dl: Fix for an integer overflow in grub_dl_ref()
* 2c34af908 video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG
* 0707accab net/tftp: Fix stack buffer overflow in tftp_open()
* 5eef88152 net: Fix OOB write in grub_net_search_config_file()
* aa8b4d7fa net: Remove variables hooks when interface is unregisted
* a1dd8e59d net: Unregister net_default_ip and net_default_mac variables hooks on unload
* d8a937cca script/execute: Limit the recursion depth
* 8a7103fdd kern/partition: Limit recursion in part_iterate()
* 18212f064 kern/disk: Limit recursion depth
* 67f70f70a disk/loopback: Reference tracking for the loopback
* 13febd78d disk/cryptodisk: Require authentication after TPM unlock for CLI access
* 16f196874 kern/file: Implement filesystem reference counting
* a79106872 kern/file: Ensure file->data is set
* d1d6b7ea5 fs/xfs: Ensuring failing to mount sets a grub_errno
* 6ccc77b59 fs/xfs: Fix out-of-bounds read
* 067b6d225 fs/ntfs: Implement attribute verification
* 048777bc2 fs/ntfs: Use a helper function to access attributes
* 237a71184 fs/ntfs: Track the end of the MFT attribute buffer
* aff263187 fs/ntfs: Fix out-of-bounds read
* 7e2f750f0 fs/ext2: Fix out-of-bounds read for inline extents
* edd995a26 fs/jfs: Inconsistent signed/unsigned types usage in return values
* bd999310f fs/jfs: Use full 40 bits offset and address for a data extent
* ab09fd053 fs/jfs: Fix OOB read caused by invalid dir slot index
* 66175696f fs/jfs: Fix OOB read in jfs_getent()
* 1443833a9 fs/iso9660: Fix invalid free
* 965db5970 fs/iso9660: Set a grub_errno if mount fails
* f7c070a2e fs/hfsplus: Set a grub_errno if mount fails
* 563436258 fs/f2fs: Set a grub_errno if mount fails
* 0087bc690 fs/tar: Integer overflow leads to heap OOB write
* 2c8ac08c9 fs/tar: Initialize name in grub_cpio_find_file()
* 417547c10 fs/hfs: Fix stack OOB write with grub_strcpy()
* c1a291b01 fs/ufs: Fix a heap OOB write
* ea703528a misc: Implement grub_strlcpy()
Signed-off-by: Leah Rowe <leah@libreboot.org>
genisoimage is not a an AUR package as suggested by aur_notice. It is
available in the "cdrtools" package in the repositories.
References: https://archlinux.org/packages/extra/x86_64/cdrtools/
Signed-off-by: Runxi Yu <me@runxiyu.org>
the user might have boot their kernel inside luks
inside lvm for some dumb reason
it's theoretically possible that the user would be
so silly indeed
Signed-off-by: Leah Rowe <leah@libreboot.org>
We were scanning a hardcoded set up LVM volumes, so in practise,
LVM boot didn't really work. We did this because scanning for
asterisk is slow on some machines. However, since LVM is the last
one, and since most users don't boot directly from LVM, it wasn't
that much of an issue in practise.
Signed-off-by: Leah Rowe <leah@libreboot.org>
This was leftover from idk when. It's not in lbmk.
We don't need it here. This is a relic from when
the build system used git's submodules feature.
Nowadays, the build system automatically handles
directories such as what this patch handled.
Signed-off-by: Leah Rowe <leah@libreboot.org>
This revision:
* 2f1e4e5e85 mb/hp/snb_ivb_desktops/z220*: Remove leftover old usb configurations
This is in line with the revision used by Libreboot 20241206,
8th revision - as of this commit, Canoeboot 20241207 rev1 can
be compiled, I just need to update the GRUB/SeaBIOS/U-Boot
version reporting, and sync up lbwww->cbwww with a release page.
Signed-off-by: Leah Rowe <leah@libreboot.org>
We were previously not handling picotool at all, and
pico-sdk would download picotool itself, at build time.
This means that the source archive, if created, would
not contain picotool. While not strictly required, for
complete corresponding source, since it's a toolchain
and not the actual pico-serprog firmware, it is my policy
that releases must include full corresponding source code,
when it is feasible to do so.
I must say, I intensely dislike cmake, with such burning
passion; I am thoroughly displeased by how hacky this is,
but it works and now nothing is in my way for a Libreboot
20241206 rev8 release!
Signed-off-by: Leah Rowe <leah@libreboot.org>
probably not actually needed, but it annoys me that it doesn't
come installed by default, and it's needed for certain git
operations
Signed-off-by: Leah Rowe <leah@libreboot.org>
the gnu.org mirror is always slow for some reason, but only
for gnulib. it may only be for me, because routing in other
countries/networks may differ.
when i'm freshly cloning lbmk modules, gnulib is always really
slow, like 300KB/s (bytes, not bits)
i have 1gbps internet and wish to not have 2005-era speeds,
thank you kindly!
Signed-off-by: Leah Rowe <leah@libreboot.org>
dnf reinstall package
or
dnf install package
for reinstall, do this:
./mk dependencies fedora41 re
this is an example command
the 4th argument prefixes "install" in dnf install
a bit hacky but it should work
Signed-off-by: Leah Rowe <leah@libreboot.org>
This brings in a *single* change from SeaBIOS, because there
has only been one change in the main branch, and it's a bug fix.
The change from upstream is as follows:
commit 1602647f1be24fe63d11138d802e735c8e674e63
Author: Daniel Khodabakhsh <d.khodabakhsh@gmail.com>
Date: Thu Nov 7 18:46:16 2024 -0800
boot: Force display of the boot menu when boot-menu-wait is a negative number
Signed-off-by: Leah Rowe <leah@libreboot.org>
Although this is for a stable release revision, namely
Canoeboot 20241207 revision 1, I've carefully audited the
upstream changes and they all seem fine.
Several important bug fixes have been imported with this change.
Most interestly, GRUB has also added support for TPM2 Key
Protectors; we don't use this feature yet, and probably won't
for the time being, since TPM is largely security threatre for
our purposes anyway. There's no harm including all upstream
revisions, up to those ones, since those modules are not yet
added in lbmk.
Most notably, there are several file system fixes, and minor fixes
to the graphics terminal of GRUB. Minor fixes only, in terms of
what Canoeboot actually uses at present.
The full list of imported changes are as follows, relative to the
previous GRUB revision, which was b53ec06a1 from 17 June 2024:
* 6811f6f09 tpm2_key_protector: Enable build for powerpc_ieee1275
* ff14b89bd ieee1275/tcg2: Add TCG2 driver for ieee1275 PowerPC firmware
* 72092a864 ieee1275/tcg2: Refactor grub_ieee1275_tpm_init()
* 8c0b5f200 ieee1275/ibmvpm: Move TPM initialization functions to own file
* 7344b3c7c ieee1275: Consolidate repeated definitions of IEEE1275_IHANDLE_INVALID
* 29d1bd2a9 term/ieee1275/serial: Cast 0 to proper type
* 99ee68a01 tss2: Adjust bit fields for big endian targets
* 3770a6905 docs: Document TPM2 key protector
* f898440cc tests: Add tpm2_key_protector_test
* 76a2bcb99 tpm2_key_protector: Add grub-emu support
* 135e0bc88 diskfilter: Look up cryptodisk devices first
* b35480b48 cryptodisk: Wipe out the cached keys from protectors
* 6abf8af3c cryptodisk: Fallback to passphrase
* fba3a474e tpm2_key_protector: Implement NV index
* 550ada7d6 tpm2_key_protector: Support authorized policy
* 5f6a2fd51 util/grub-protect: Add new tool
* ad0c52784 cryptodisk: Support key protectors
* 48e230c31 key_protector: Add TPM2 Key Protector
* 35c9904df tss2: Add TPM2 Software Stack (TSS2) support
* 63a78f4b4 tss2: Add TPM2 types and Marshal/Unmarshal functions
* 2ad159d9b tss2: Add TPM2 buffer handling functions
* 5d260302d key_protector: Add key protectors framework
* 3d60732f9 libtasn1: Add the documentation
* 99cda6788 asn1_test: Test module for libtasn1
* 504058e82 libtasn1: Compile into asn1 module
* 8a0fedef2 asn1_test: Enable the testcase only when GRUB_LONG_MAX is larger than GRUB_INT_MAX
* 66cf4cb14 asn1_test: Use the grub-specific functions and types
* 0d0913fc6 asn1_test: Print the error messages with grub_printf()
* 2e93a8e4b asn1_test: Remove "verbose" and the unnecessary printf()
* b7568e335 asn1_test: Return either 0 or 1 to reflect the results
* d60a04bae asn1_test: Rename the main functions to the test names
* 54e0e19a2 asn1_test: Include asn1_test.h only
* 0ad1d4ba8 libtasn1: Fix the potential buffer overrun
* 4160ca983 libtasn1: Use grub_divmod64() for division
* 8f56e5e5c libtasn1: Adjust the header paths in libtasn1.h
* d86df91cb libtasn1: Replace strcat() with _asn1_str_cat()
* 32fdfe600 libtasn1: Replace strcat() with strcpy() in _asn1_str_cat()
* fa498af7b libtasn1: Disable code not needed in GRUB
* 9a26abbc3 libtasn1: Import libtasn1-4.19.0
* c85c2b9f5 posix_wrap: Tweaks in preparation for libtasn1
* 4f6c46091 kern/fs: Honour file->read_hook() in grub_fs_blocklist_read()
* 792132c72 docs: Fix incorrect and potentially confusing language and minor formatting
* 1763d83f5 docs: Correct GRUB config file name for network boot
* 097fd9d9a docs: Correct chainloader UEFI secure boot info
* f48e6af11 docs: Correct PXE environment variables descriptions
* dd743ba42 loader/multiboot: Do not add modules before successful download
* 9a9082b50 grub-mkimage: Add SBAT metadata into ELF note for PowerPC targets
* f97d4618a grub-mkimage: Create new ELF note for SBAT
* f26b39860 commands/legacycfg: Avoid closing file twice
* 337cb2486 nx: Rename GRUB_DL_ALIGN to DL_ALIGN
* 31de991de kern/acpi: Fix out of bounds access in grub_acpi_xsdt_find_table()
* f5bb766e6 nx: Set the NX compatible flag for the GRUB EFI images
* 94649c026 nx: Set page permissions for loaded modules
* 09ca66673 nx: Add memory attribute get/set API
* 9fb80dd57 modules: Load module sections at page-aligned addresses
* 6e2fe134e modules: Don't allocate space for non-allocable sections
* 2b79d550f modules: Strip .llvm_addrsig sections and similar
* 246c82cda modules: Make .module_license read-only
* 616adeb80 i386/memory: Rename PAGE_SIZE to GRUB_PAGE_SIZE and make it global
* 95a7bfef5 i386/memory: Rename PAGE_SHIFT to GRUB_PAGE_SHIFT
* 1b1061409 i386/msr: Extract and improve MSR support detection code
* 929fafdf5 i386/msr: Rename grub_msr_read() and grub_msr_write()
* d96cfd7bf i386/msr: Merge rdmsr.h and wrmsr.h into msr.h
* 86ec48882 commands/tpm: Skip loopback image measurement
* 3808b1a9b net/drivers/efi/efinet: Skip virtual VLAN devices during card enumeration
* e5f047be0 efi/console: Properly clear leftover artifacts from the screen
* c5ae124e1 kern/riscv/efi/init: Use time register in grub_efi_get_time_ms()
* 9c34d56c2 loader/efi/linux: Reset freed pointer
* 92bed41bf loader/efi/linux: Reuse len variable
* 33cb8aecd lib/x86_64/relocator_asm: Use .quad instead of .long
* 77cd623de lib/x86_64/relocator_asm: Fix comment in code
* 95145eea5 loader/efi/linux: Update comment
* d333e8bb3 util/grub-mkimagexx: Explicitly move modules to __bss_start for MIPS targets
* 34b7f3721 include/grub/offsets.h: Set mod_align to 4 on MIPS
* ed0651673 gentpl: Put boot/mips/startup_raw.S into beginning of the image
* 648f2d16c configure: Add -mno-gpopt option for mips and mipsel targets
* f0710d2d8 lib/xzembed/xz_dec_bcj: Silence warning when no BCJ is available
* e61157bbd fs/erofs: Replace 64-bit modulo with bitwise operations
* 5313fa839 configure: Look for .otf fonts
* 33b94f2a9 loader/efi/chainloader: Do not print device path of chainloaded file
* ab1e6fc04 docs: Document all GRUB modules
* 9537f4403 commands/bli: Fix crash in get_part_uuid()
Signed-off-by: Leah Rowe <leah@libreboot.org>
We haven't seen any build errors, but it seems flashprog
sets -Werror on CFLAGS. If you provide WARNERROR=no as
a make argument, it avoids -Werror entirely.
This is a preventative fix, for over-zealous compilers.
Signed-off-by: Leah Rowe <leah@libreboot.org>
In Debian dependencies files. These are available in
Debian Stable, but liblz4-tool is a transitional
package referring to lz4; liblz4-tool transition
package is unavailable in Debian sid, so remove it
from the dependencies files.
Signed-off-by: Leah Rowe <leah@libreboot.org>
./mk dependencies debian --reinstall
Add --reinstall and it'll do:
apt-get install --reinstall
This can be useful when updating from a stable release
to a testing release. The variable, "reinstall" can be
configured for other distros, but it's currently only
configured for Debian-based distros.
Also, it can be anything. For example, you could add -y;
however, a 4th argument will not be accepted. For example,
you cannot do:
./mk dependencies debian --reinstall -y
If you do this, it'll only see --reinstall; similarly, if
you did this command:
./mk dependencies debian -y --reinstall
then -y would be passed, but not --reinstall. This is an
intentional design decision, in case you accidentally pasted
or subshelled something that outputted something undesirable,
to prevent possible abuse.
Signed-off-by: Leah Rowe <leah@libreboot.org>
Tested on Debian Sid, as of 30 December 2024, which uses
Swig 4.3.0. Context here:
commit a63456b9191fae2fe49f4b121e025792022e3950
Author: Markus Volk <f_l_k@t-online.de>
Date: Wed Oct 30 06:07:16 2024 +0100
scripts/dtc/pylibfdt/libfdt.i_shipped: Use SWIG_AppendOutput
This patch from U-Boot upstream has been backported to the
release revision used by Libreboot. Swig has, since 4.3.0,
changed the language-specific AppendOutput functions, but
the helper macro SWIG_AppendOutput is identical; therefore,
upstream switched to this function.
The benefit of this fix is that since the newly used macro
is also the same on older Swig versions, and behaves the same,
this shouldn't fix building on older Swig versions. For reference,
the initial Libreboot 20241206 release, and revisions of it before
revision 8, was built on Debian 12 which uses Swig 4.1.0.
The rev8 release will still be compiled on Debian 12, but with
this change, it should also compile on Debian Sid, and bleeding
edge distros like Arch Linux.
Signed-off-by: Leah Rowe <leah@libreboot.org>
because if it says yes to everything, and the package
manager would otherwise ask whether you want to give
it your first born son, you are therefore agreeing to it.
so remove -y for safety
Signed-off-by: Leah Rowe <leah@libreboot.org>
Previously serprog_rp2040, but we now also support
the RP2530 boards.
Therefore, serprog_pico is a nice generic name. The
directory on release archives will now be serprog_pico
instead of serprog_rp2040; it will contain serprog images
for both RP2040 and RP2530 devices.
Signed-off-by: Leah Rowe <leah@libreboot.org>
this brings support for a new microcontroller platform rp2530.
total number of pico boards supported now: 97
TEST: built them all
Tested-by: Riku Viitanen <riku.viitanen@protonmail.com>
Signed-off-by: Riku Viitanen <riku.viitanen@protonmail.com>
in this setup, seabios is never the default payload, grub is,
but only if grub is enabled.
set this in target.cfg:
payload_grubsea="y"
if payload_grub isn't enabled, this is auto-set to n
ditto if initmode=normal
NOTE: if flashing libgfx setups, you should make sure
that you're not booting with a graphics card, only intel
graphics. this setting will intentionally not be documented,
because it's not recommended, but is being implemented for
testing purposes (and i implemented it for some guy who i
think is cool). i'll probably also use this myself, since
i already do grub-only setups on all my own machines.
seagrub is the default on x86 because of past instabilities
with grub. to mitigate in case of future issues, since seabios
is always stable, we reduce the chance of bricks.
Signed-off-by: Leah Rowe <leah@libreboot.org>
it's green there. different colour scheme apparently.
still works on x86. alper said his kevin chromebook was green!
was green on the libreboot one, which should be purple.
i don't know how can-u-boot green would show up. would be
funny if it turned out purple
Signed-off-by: Leah Rowe <leah@libreboot.org>
The bootflow menu is already the default boot command on x86. Switch
arm64 boards to that as well, so instead of booting the first thing we
find, we can easily choose what to boot.
Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
Otherwise, you have to press enter to boot your distro.
With this, a timeout is created. After a number of seconds,
which can be reconfigured, the first option selected will be booted,
when generating a bootflow menu.
The timeout is disabled when you navigate the menu; it only
kicks in if you don't input anything on the keyboard.
More information about how this works is in the U-Boot patches,
within this patch. I've set the timeout to 8 seconds.
Signed-off-by: Leah Rowe <leah@libreboot.org>
Otherwise, you have to press enter to boot, which is unacceptable
for headless operation.
Pressing anything other than enter an an option, such as the arrow
keys, will disable the timeout.
Signed-off-by: Leah Rowe <leah@libreboot.org>
We need to initialize the USB subsystem before we can use USB devices
like keyboards and external disks, by running `usb start`. Use the
PREBOOT config option to run the necessary command before U-Boot tries
to automatically boot anything. It's already enabled for boards other
than gru_kevin and gru_bob, so just update those two configs.
Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
Set default U-Boot revision to v2024.10 and rebase patches on top of
that. The video subsystem now has switched to using the 'cyclic'
mechanism, so the code around one of the video patches changed a bit.
x86 boards were already switched to v2024.10. Update U-Boot for the
remaining ARM64 boards as usual:
- Turn old configs into defconfigs (./update trees -s u-boot)
- Save the diff from old upstream defconfig (diffconfig $theirs $ours)
- Update U-Boot revision, rebase patches, and clean old trees
- Prepare new U-Boot tree (./update trees -f u-boot)
- Review the diffconfigs to see if any options were renamed upstream
- Copy over the new upstream defconfigs and apply earlier diff
- Turn new defconfigs into configs (./update trees -l u-boot)
Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
It wasn't being included, because we remove these files
in Canoeboot's version of U-Boot.
However, rules for including them was still in the U-Boot
build logic, leading to build issues such as:
arch/x86/dts/.cherryhill.dtb.pre.tmp:206:10: fatal error: microcode/m01406c2220.dtsi: No such file or directory
206 | #include "microcode/m01406c2220.dtsi"
This happened when building x86 U-Boot payloads. This patch
fixes the issue.
Signed-off-by: Leah Rowe <info@minifree.org>
openssl-devel was split up in Fedora 41, and this package is required to build libreboot
on Fedora 41.
This was reported by "tweezers" on #libreboot.
Signed-off-by: Mate Kukri <km@mkukri.xyz>
Same concept as SeaGRUB, but for U-Boot. SeaBIOS starts, but
has a bootorder file loading U-Boot first, from flash.
You can interrupt it with the ESC menu, to boot something else
in SeaBIOS, including GRUB.
With this, we can effectively provide extremely user-friendly
UEFI-first setups in Canoeboot.
Take that, edk2!
Signed-off-by: Leah Rowe <leah@libreboot.org>
Leah Rowe