Fix arm64 kernel image not aligned on 64k boundary

* backport-arm64-Fix-EFI-loader-kernel-image-allocation.patch
  * backport-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch

Signed-off-by: yanan-rock <yanan@huawei.com>
(cherry picked from commit 213914bf725818c72c2e685d5f3a39b64fea9a85)

backport-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch

@@ -0,0 +1,65 @@
+From 337b3d963d28b3544e8817428fb68ca559613a39 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 9 Sep 2021 10:59:28 -0400
+Subject: [PATCH 2/2] Arm: check for the PE magic for the compiled arch
+
+In "arm64: Fix EFI loader kernel image allocation", Ben fixed the kernel
+alignment to match the alignment given in the PE header.  In doing so, a
+check for valid PE magic was added, which was hard-coded to the value
+seen on Aarch64 (GRUB_PE32_PE64_MAGIC).
+
+Unfortunately, this code is shared between 64-bit and 32-bit, and so
+that value broke 32-bit Arm systems.
+
+This patch adds a constant definition for GRUB_PE32_PEXX_MAGIC, which is
+either GRUB_PE32_PE64_MAGIC or GRUB_PE32_PE32_MAGIC, depending on which
+platform is being built, and uses it in the header magic check.
+
+Resolves: rhbz#2000756
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ grub-core/loader/arm64/linux.c | 2 +-
+ include/grub/arm/linux.h       | 1 +
+ include/grub/arm64/linux.h     | 1 +
+ 3 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c
+index 1da1886..f0ad052 100644
+--- a/grub-core/loader/arm64/linux.c
++++ b/grub-core/loader/arm64/linux.c
+@@ -342,7 +342,7 @@ parse_pe_header (void *kernel, grub_uint64_t *total_size,
+
+   pe = (void *)((unsigned long)kernel + lh->hdr_offset);
+
+-  if (pe->opt.magic != GRUB_PE32_PE64_MAGIC)
++  if (pe->opt.magic != GRUB_PE32_PEXX_MAGIC)
+     return grub_error(GRUB_ERR_BAD_OS, "Invalid PE optional header magic");
+
+   *total_size   = pe->opt.image_size;
+diff --git a/include/grub/arm/linux.h b/include/grub/arm/linux.h
+index b582f67..966a507 100644
+--- a/include/grub/arm/linux.h
++++ b/include/grub/arm/linux.h
+@@ -44,6 +44,7 @@ struct grub_arm_linux_pe_header
+
+ #if defined(__arm__)
+ # define GRUB_LINUX_ARMXX_MAGIC_SIGNATURE GRUB_LINUX_ARM_MAGIC_SIGNATURE
++# define GRUB_PE32_PEXX_MAGIC GRUB_PE32_PE32_MAGIC
+ # define linux_arch_kernel_header linux_arm_kernel_header
+ # define grub_armxx_linux_pe_header grub_arm_linux_pe_header
+ #endif
+diff --git a/include/grub/arm64/linux.h b/include/grub/arm64/linux.h
+index a3be9dd..20828d9 100644
+--- a/include/grub/arm64/linux.h
++++ b/include/grub/arm64/linux.h
+@@ -47,6 +47,7 @@ struct grub_arm64_linux_pe_header
+
+ #if defined(__aarch64__)
+ # define GRUB_LINUX_ARMXX_MAGIC_SIGNATURE GRUB_LINUX_ARM64_MAGIC_SIGNATURE
++# define GRUB_PE32_PEXX_MAGIC GRUB_PE32_PE64_MAGIC
+ # define linux_arch_kernel_header linux_arm64_kernel_header
+ # define grub_armxx_linux_pe_header grub_arm64_linux_pe_header
+ #endif
+--
+2.23.0

backport-arm64-Fix-EFI-loader-kernel-image-allocation.patch

@@ -0,0 +1,192 @@
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Mon, 2 Aug 2021 23:10:01 +1000
+Subject: [PATCH 1/2] arm64: Fix EFI loader kernel image allocation
+
+We are currently allocating just enough memory for the file size,
+which means that the kernel BSS is in limbo (and not even zeroed).
+
+We are also not honoring the alignment specified in the image
+PE header.
+
+This makes us use the PE optional header in which the kernel puts the
+actual size it needs, including BSS, and make sure we clear it, and
+honors the specified alignment for the image.
+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+---
+ grub-core/loader/arm64/linux.c | 102 ++++++++++++++++++++++-----------
+ 1 file changed, 67 insertions(+), 35 deletions(-)
+
+diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c
+index a18c487..a803aa9 100644
+--- a/grub-core/loader/arm64/linux.c
++++ b/grub-core/loader/arm64/linux.c
+@@ -40,6 +40,8 @@ GRUB_MOD_LICENSE ("GPLv3+");
+ static grub_dl_t my_mod;
+ static int loaded;
+ 
++static void *kernel_alloc_addr;
++static grub_uint32_t kernel_alloc_pages;
+ static void *kernel_addr;
+ static grub_uint64_t kernel_size;
+ static grub_uint32_t handover_offset;
+@@ -223,9 +225,8 @@ grub_linux_unload (void)
+ 			 GRUB_EFI_BYTES_TO_PAGES (initrd_end - initrd_start));
+   initrd_start = initrd_end = 0;
+   grub_free (linux_args);
+-  if (kernel_addr)
+-    grub_efi_free_pages ((grub_addr_t) kernel_addr,
+-			 GRUB_EFI_BYTES_TO_PAGES (kernel_size));
++  if (kernel_alloc_addr)
++    grub_efi_free_pages ((grub_addr_t) kernel_alloc_addr, kernel_alloc_pages);
+   grub_fdt_unload ();
+   return GRUB_ERR_NONE;
+ }
+@@ -330,14 +331,35 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
+   return grub_errno;
+ }
+ 
++static grub_err_t
++parse_pe_header (void *kernel, grub_uint64_t *total_size,
++		 grub_uint32_t *entry_offset,
++		 grub_uint32_t *alignment)
++{
++  struct linux_arch_kernel_header *lh = kernel;
++  struct grub_armxx_linux_pe_header *pe;
++
++  pe = (void *)((unsigned long)kernel + lh->hdr_offset);
++
++  if (pe->opt.magic != GRUB_PE32_PE64_MAGIC)
++    return grub_error(GRUB_ERR_BAD_OS, "Invalid PE optional header magic");
++
++  *total_size   = pe->opt.image_size;
++  *entry_offset = pe->opt.entry_addr;
++  *alignment    = pe->opt.section_alignment;
++
++  return GRUB_ERR_NONE;
++}
++
+ static grub_err_t
+ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+ 		int argc, char *argv[])
+ {
+   grub_file_t file = 0;
+-  struct linux_arch_kernel_header lh;
+-  struct grub_armxx_linux_pe_header *pe;
+   grub_err_t err;
++  grub_off_t filelen;
++  grub_uint32_t align;
++  void *kernel = NULL;
+   int rc;
+ 
+   grub_dl_ref (my_mod);
+@@ -351,41 +373,25 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+   file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL);
+   if (!file)
+     goto fail;
+-
+-  kernel_size = grub_file_size (file);
+-
+-  if (grub_file_read (file, &lh, sizeof (lh)) < (long) sizeof (lh))
+-    return grub_errno;
+-
+-  if (grub_arch_efi_linux_check_image (&lh) != GRUB_ERR_NONE)
+-    goto fail;
+-
+-  grub_loader_unset();
+-
+-  grub_dprintf ("linux", "kernel file size: %lld\n", (long long) kernel_size);
+-  kernel_addr = grub_efi_allocate_any_pages (GRUB_EFI_BYTES_TO_PAGES (kernel_size));
+-  grub_dprintf ("linux", "kernel numpages: %lld\n",
+-		(long long) GRUB_EFI_BYTES_TO_PAGES (kernel_size));
+-  if (!kernel_addr)
++  
++  filelen = grub_file_size (file);
++  kernel = grub_malloc(filelen);
++  if (!kernel)
+     {
+-      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
++      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("cannot allocate kernel load buffer"));
+       goto fail;
+     }
+ 
+-  grub_file_seek (file, 0);
+-  if (grub_file_read (file, kernel_addr, kernel_size)
+-      < (grub_int64_t) kernel_size)
++  if (grub_file_read (file, kernel, filelen) < (grub_ssize_t)filelen)
+     {
+-      if (!grub_errno)
+-	grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"), argv[0]);
++      grub_error (GRUB_ERR_FILE_READ_ERROR, N_("Can't read kernel %s"),
++		  argv[0]);
+       goto fail;
+     }
+ 
+-  grub_dprintf ("linux", "kernel @ %p\n", kernel_addr);
+-
+   if (grub_efi_secure_boot ())
+     {
+-      rc = grub_linuxefi_secure_validate (kernel_addr, kernel_size);
++      rc = grub_linuxefi_secure_validate (kernel, filelen);
+       if (rc <= 0)
+ 	{
+ 	  grub_error (GRUB_ERR_INVALID_COMMAND,
+@@ -394,8 +400,32 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+ 	}
+     }
+ 
+-  pe = (void *)((unsigned long)kernel_addr + lh.hdr_offset);
+-  handover_offset = pe->opt.entry_addr;
++  if (grub_arch_efi_linux_check_image (kernel) != GRUB_ERR_NONE)
++    goto fail;
++  if (parse_pe_header (kernel, &kernel_size, &handover_offset, &align) != GRUB_ERR_NONE)
++    goto fail;
++  grub_dprintf ("linux", "kernel mem size     : %lld\n", (long long) kernel_size);
++  grub_dprintf ("linux", "kernel entry offset : %d\n", handover_offset);
++  grub_dprintf ("linux", "kernel alignment    : 0x%x\n", align);
++
++  grub_loader_unset();
++
++  kernel_alloc_pages = GRUB_EFI_BYTES_TO_PAGES (kernel_size + align - 1);
++  kernel_alloc_addr = grub_efi_allocate_any_pages (kernel_alloc_pages);
++  grub_dprintf ("linux", "kernel numpages: %d\n", kernel_alloc_pages);
++  if (!kernel_alloc_addr)
++    {
++      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
++      goto fail;
++    }
++  kernel_addr = (void *)ALIGN_UP((grub_uint64_t)kernel_alloc_addr, align);
++
++  grub_dprintf ("linux", "kernel @ %p\n", kernel_addr);
++  grub_memcpy (kernel_addr, kernel, grub_min(filelen, kernel_size));
++  if (kernel_size > filelen)
++    grub_memset ((char *)kernel_addr + filelen, 0, kernel_size - filelen);
++  grub_free(kernel);
++  kernel = NULL;
+ 
+   cmdline_size = grub_loader_cmdline_size (argc, argv) + sizeof (LINUX_IMAGE);
+   linux_args = grub_malloc (cmdline_size);
+@@ -419,6 +449,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+     }
+ 
+ fail:
++  if (kernel)
++    grub_free (kernel);
++
+   if (file)
+     grub_file_close (file);
+ 
+@@ -431,9 +464,8 @@ fail:
+   if (linux_args && !loaded)
+     grub_free (linux_args);
+ 
+-  if (kernel_addr && !loaded)
+-    grub_efi_free_pages ((grub_addr_t) kernel_addr,
+-			 GRUB_EFI_BYTES_TO_PAGES (kernel_size));
++  if (kernel_alloc_addr && !loaded)
++    grub_efi_free_pages ((grub_addr_t) kernel_alloc_addr, kernel_alloc_pages);
+ 
+   return grub_errno;
+ }
+-- 
+2.23.0

grub.patches

@@ -353,3 +353,8 @@ Patch0352: backport-0079-efi-tpm-Fix-typo-in-grub_efi_tpm2_protocol-struct.patch
 Patch0353: backport-0080-misc-Add-parentheses-around-ALIGN_UP-and-ALIGN_DOWN-.patch
 Patch0354: backport-0081-verifiers-Fix-calling-uninitialized-function-pointer.patch
 Patch0355: backport-templates-Fix-bad-test-on-GRUB_DISABLE_SUBMENU.patch
+Patch0356: grub2-set-password-prompts-to-enter-the-current-pass.patch
+Patch0357: support-TPM2.0.patch
+Patch0358: use-default-timestamp.patch
+Patch0359: backport-arm64-Fix-EFI-loader-kernel-image-allocation.patch
+Patch0360: backport-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch

grub2-set-password-prompts-to-enter-the-current-pass.patch

@@ -0,0 +1,302 @@
+From 5099013778b2433a4dee3ae5e4826d8add1c1fb7 Mon Sep 17 00:00:00 2001
+From: liuxin <liuxin264@huawei.com>
+Date: Thu, 2 Sep 2021 17:30:39 +0800
+Subject: [PATCH] grub2-set-password prompts to enter the current password and
+ add the password complexity check
+
+---
+ util/grub-mkpasswd-pbkdf2.c |  95 +++++++++++++++++++++++++++++-
+ util/grub-set-password.in   | 114 ++++++++++++++++++++++++++++++++++++
+ 2 files changed, 207 insertions(+), 2 deletions(-)
+
+diff --git a/util/grub-mkpasswd-pbkdf2.c b/util/grub-mkpasswd-pbkdf2.c
+index 5805f3c..68c2032 100644
+--- a/util/grub-mkpasswd-pbkdf2.c
++++ b/util/grub-mkpasswd-pbkdf2.c
+@@ -42,10 +42,14 @@
+ 
+ #include "progname.h"
+ 
++#define GRUB_PARAM_ERROR 1
++#define GRUB_PARAM_SUCCESS 0
++
+ static struct argp_option options[] = {
+   {"iteration-count",  'c', N_("NUM"), 0, N_("Number of PBKDF2 iterations"), 0},
+   {"buflen",  'l', N_("NUM"), 0, N_("Length of generated hash"), 0},
+   {"salt",  's', N_("NUM"), 0, N_("Length of salt"), 0},
++  {"salt arg",  'a', N_("VARCHAR"), 0, N_("preset salt var(hex code)"), 0},
+   { 0, 0, 0, 0, 0, 0 }
+ };
+ 
+@@ -54,8 +58,45 @@ struct arguments
+   unsigned int count;
+   unsigned int buflen;
+   unsigned int saltlen;
++  char * salt;
+ };
+ 
++static int illegal_char(char t)
++{
++  int illegal = GRUB_PARAM_ERROR;
++  char legal[] = "0123456789ABCDEF";
++  for (int i = 0; i < grub_strlen(legal); ++i) {
++    if (t == legal[i]) {
++      illegal = GRUB_PARAM_SUCCESS;
++      break;
++    }
++  }
++  return illegal;
++}
++
++static int check_salt_verify(const char * arg)
++{
++  grub_size_t len = grub_strlen(arg);
++  if (len <= 0 || len >= GRUB_SIZE_MAX)
++  {
++    fprintf(stderr, "salt length may be empty or too long!\n");
++    return GRUB_PARAM_ERROR;
++  }
++  if (len % 2 != 0)
++  {
++    fprintf(stderr, "the salt value length is an even number!\n");
++    return GRUB_PARAM_ERROR;
++  }
++  for (int i = 0; i < len; ++i)
++  {
++    if (illegal_char(arg[i]))
++    {
++      return GRUB_PARAM_ERROR;
++    }
++  }
++  return GRUB_PARAM_SUCCESS;
++}
++
+ static error_t
+ argp_parser (int key, char *arg, struct argp_state *state)
+ {
+@@ -76,6 +117,16 @@ argp_parser (int key, char *arg, struct argp_state *state)
+     case 's':
+       arguments->saltlen = strtoul (arg, NULL, 0);
+       break;
++
++    case 'a':
++      if (check_salt_verify(arg))
++      {
++        fprintf(stderr, "only hexadecimal numbers consisting of digits and uppercase letters are supported\n");
++        return ARGP_ERR_UNKNOWN;
++      }
++      arguments->saltlen = grub_strlen(arg) / 2;
++      arguments->salt = arg;
++      break;
+     default:
+       return ARGP_ERR_UNKNOWN;
+     }
+@@ -110,13 +161,44 @@ hexify (char *hex, grub_uint8_t *bin, grub_size_t n)
+   *hex = 0;
+ }
+ 
++static void
++hextobyte(const char *hex, grub_uint8_t *bin, grub_size_t n)
++{
++    while(n)
++    {
++        grub_uint8_t tmp = 0x00;
++        if (((*hex) <= '9') && ((*hex) >= '0'))
++        {
++            tmp += (grub_uint8_t)((*hex) - '0') << 4 & 0xf0;
++        }
++        else
++        {
++            tmp += (grub_uint8_t)((*hex) - 'A' + 10) << 4 & 0xf0;
++        }
++        hex++;
++        if (((*hex) <= '9') && ((*hex) >= '0'))
++        {
++            tmp += (grub_uint8_t)((*hex) - '0') & 0x0f;
++        }
++        else
++        {
++            tmp += (grub_uint8_t)((*hex) - 'A' + 10) & 0x0f;
++        }
++        *bin = tmp;
++        bin++;
++        hex++;
++        n -= 2;
++    }
++}
++
+ int
+ main (int argc, char *argv[])
+ {
+   struct arguments arguments = {
+     .count = 10000,
+     .buflen = 64,
+-    .saltlen = 64
++    .saltlen = 64,
++    .salt = NULL
+   };
+   char *result, *ptr;
+   gcry_err_code_t gcry_err;
+@@ -133,6 +215,12 @@ main (int argc, char *argv[])
+       exit(1);
+     }
+ 
++  if (arguments.salt != NULL && grub_strlen(arguments.salt) != 2 * arguments.saltlen)
++  {
++    fprintf(stderr, "%s", _("If the -a parameter is set, don't set the -s parameter again\n"));
++    exit(1);
++  }
++
+   buf = xmalloc (arguments.buflen);
+   salt = xmalloc (arguments.saltlen);
+   
+@@ -161,7 +249,10 @@ main (int argc, char *argv[])
+     }
+   memset (pass2, 0, sizeof (pass2));
+ 
+-  if (grub_get_random (salt, arguments.saltlen))
++  if (arguments.salt != NULL)
++  {
++    hextobyte(arguments.salt, salt, arguments.saltlen * 2);
++  } else if (grub_get_random (salt, arguments.saltlen))
+     {
+       memset (pass1, 0, sizeof (pass1));
+       free (buf);
+diff --git a/util/grub-set-password.in b/util/grub-set-password.in
+index 487fbb1..3d0be26 100644
+--- a/util/grub-set-password.in
++++ b/util/grub-set-password.in
+@@ -87,16 +87,130 @@ fixtty() {
+ }
+ 
+ trap fixtty EXIT
++
++getsaltpass() {
++	local P0
++	local P1
++	P0="$1" && shift
++	P1="$1" && shift
++	P2="$1" && shift
++
++	( echo ${P0} ; echo ${P1} ) | \
++    	LC_ALL=C ${grub_mkpasswd} -a ${P2} | \
++    	grep -v '[eE]nter password:' | \
++    	sed -e "s/PBKDF2 hash of your password is //"
++}
++
++verifyusercfgoldpasswd() {
++    # get old password salt
++    expectsalt=`cat ${grubdir}/user.cfg | cut -d "." -f 5`
++    # get expect password
++    expectpass=`cat ${grubdir}/user.cfg`
++    prefix="GRUB2_PASSWORD="
++
++    stty -echo
++    echo -n "Enter Current password: "
++    read PASSWORD_CURRENT
++    echo
++
++    needcheckpass="${prefix}$(getsaltpass "${PASSWORD_CURRENT}" "${PASSWORD_CURRENT}" "${expectsalt}")"
++    if [ "$expectpass" != "$needcheckpass" ]; then
++        echo "Authentication failed"
++        exit 1
++    fi
++
++    stty ${ttyopt}
++}
++
++verifygrubcfgoldpasswd() {
++    # get old password line
++    expectpass=`cat ${grubdir}/grub.cfg | grep "password_pbkdf2 root grub.pbkdf2.sha512" | cut -d " " -f 3`
++    # if not get password, try a quotation mark match
++    if [ -z "$expectpass" ];then
++        expectpass=`cat ${grubdir}/grub.cfg | grep "password_pbkdf2 root \"grub.pbkdf2.sha512" | cut -d " " -f 3 | cut -d "\"" -f 2`
++    fi
++    if [ -z "$expectpass" ];then
++        expectpass=`cat ${grubdir}/grub.cfg | grep "password_pbkdf2 root 'grub.pbkdf2.sha512" | cut -d " " -f 3 | cut -d "'" -f 2`
++    fi
++    if [ -n "$expectpass" ];then
++        # get old password salt
++        expectsalt=`echo ${expectpass} | cut -d "." -f 5`
++        stty -echo
++        echo -n "Enter Current password: "
++        read PASSWORD_CURRENT
++        echo
++
++        needcheckpass="$(getsaltpass "${PASSWORD_CURRENT}" "${PASSWORD_CURRENT}" "${expectsalt}")"
++        if [ "$expectpass" != "$needcheckpass" ]; then
++            echo "Authentication failed"
++            exit 1
++        fi
++    fi
++
++}
++
++if [ -e ${grubdir}/user.cfg ];then
++    verifyusercfgoldpasswd
++else
++    verifygrubcfgoldpasswd
++fi
++
++checkcomplexity() {
++    set +e
++    USERNAME=`cat ${grubdir}/grub.cfg | grep "set superusers=" | cut -d "\"" -f 2 |tail -1`
++    local P1="$1" && shift
++    if [ "$P1" = "$USERNAME" ];then
++        echo "The password contains the user name in some form"
++        exit 1
++    fi
++    # password len >= 8
++    strlen=`echo "$P1" | grep -E '^(.{8,}).*$'`
++    if [ -z "$strlen" ];then
++        echo "The password is shorter than 8 characters"
++        exit 1
++    fi
++    # lowercase
++    strlow=`echo "$P1" | grep -E --color '^(.*[a-z]+).*$'`
++    # uppercase
++    strupp=`echo $P1 | grep -E --color '^(.*[A-Z]).*$'`
++    # special character
++    strts=`echo $P1 | grep -E --color '^(.*\W).*$'`
++    # num
++    strnum=`echo $P1 | grep -E --color '^(.*[0-9]).*$'`
++    complexity=0
++    if [ -n "$strlow" ];then
++        complexity=`expr $complexity + 1`
++    fi
++    if [ -n "$strupp" ];then
++        complexity=`expr $complexity + 1`
++    fi
++    if [ -n "$strts" ];then
++        complexity=`expr $complexity + 1`
++    fi
++    if [ -n "$strnum" ];then
++        complexity=`expr $complexity + 1`
++    fi
++    if [ $complexity -lt 3 ];then
++        echo "The password contains less than 3 character classes"
++        exit 1
++    fi
++    set -e
++}
++
+ stty -echo
+ 
+ # prompt & confirm new grub2 root user password
+ echo -n "Enter password: "
+ read PASSWORD
+ echo
++stty ${ttyopt}
++checkcomplexity $PASSWORD
++stty -echo
+ echo -n "Confirm password: "
+ read PASSWORD_CONFIRM
+ echo
+ stty ${ttyopt}
++checkcomplexity $PASSWORD_CONFIRM
+ 
+ getpass() {
+     local P0
+-- 
+2.23.0
+

grub2.spec

@@ -8,7 +8,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.04
-Release:	22
+Release:	24
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@@ -450,12 +450,26 @@ rm -r /boot/grub2.tmp/ || :
 %{_datadir}/man/man*
 
 %changelog
-* Sat Feb 26 2022 zhangqiumiao <zhangqiumiao1@huawei.com> - 2.04-22
+* Sat Feb 26 2022 yanan <yanan@huawei.com> - 2.04-24
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:Fix arm64 kernel image not aligned on 64k boundary
+
+* Sat Feb 26 2022 zhangqiumiao <zhangqiumiao1@huawei.com> - 2.04-23
 - Type:bugfix
 - CVE:NA
 - SUG:NA
 - DESC:disable grub-boot-success.service
 
+* Fri Nov 26 2021 xihaochen<xihaochen@huawei.com> - 2.04-22
+- Type:bugfix
+- ID:NA
+- SUG:NA
+  DESC:grub2 set password prompts to enter the current pass
+       support TPM2.0
+       use default timestamp
+
 * Tue Nov 16 2021 fengtao <fengtao40@huawei.com> - 2.04-21
 - Type:bugfix
 - ID:NA

support-TPM2.0.patch

@@ -0,0 +1,96 @@
+From c4c243d19d77cab3591f0272c8e36619ccbbddf3 Mon Sep 17 00:00:00 2001
+From: gaoyusong <gaoyusong1@huawei.com>
+Date: Thu, 13 May 2021 18:34:23 +0800
+Subject: [PATCH] support TPM2.0
+
+---
+ grub-core/kern/verifiers.c | 25 +++++++++++++++++++------
+ grub-core/script/execute.c | 12 +++++++++++-
+ 2 files changed, 30 insertions(+), 7 deletions(-)
+
+diff --git a/grub-core/kern/verifiers.c b/grub-core/kern/verifiers.c
+index aa3dc7c..dfd73e5 100644
+--- a/grub-core/kern/verifiers.c
++++ b/grub-core/kern/verifiers.c
+@@ -84,9 +84,16 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
+   grub_file_t ret = 0;
+   grub_err_t err;
+   int defer = 0;
++  int grub_env_flag = 0;
++  char *ptr = NULL;
+ 
+   grub_dprintf ("verify", "file: %s type: %d\n", io->name, type);
+ 
++  ptr = grub_strstr(io->name, "grubenv");
++  if (ptr) {
++    grub_env_flag = 1;
++  }
++
+   if ((type & GRUB_FILE_TYPE_MASK) == GRUB_FILE_TYPE_SIGNATURE
+       || (type & GRUB_FILE_TYPE_MASK) == GRUB_FILE_TYPE_VERIFY_SIGNATURE
+       || (type & GRUB_FILE_TYPE_SKIP_SIGNATURE))
+@@ -148,6 +155,8 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
+   verified->buf = grub_malloc (ret->size);
+   if (!verified->buf)
+     {
++      grub_error (GRUB_ERR_OUT_OF_MEMORY,
++            "cannot allocate verified buffer, the %s is too large\n", io->name);
+       goto fail;
+     }
+   if (grub_file_read (io, verified->buf, ret->size) != (grub_ssize_t) ret->size)
+@@ -158,9 +167,11 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
+       goto fail;
+     }
+ 
+-  err = ver->write (context, verified->buf, ret->size);
+-  if (err)
+-    goto fail;
++  if (!grub_env_flag) {
++    err = ver->write (context, verified->buf, ret->size);
++    if (err)
++      goto fail;
++  }
+ 
+   err = ver->fini ? ver->fini (context) : GRUB_ERR_NONE;
+   if (err)
+@@ -179,9 +190,11 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
+ 	  /* Verification done earlier. So, we are happy here. */
+ 	  flags & GRUB_VERIFY_FLAGS_DEFER_AUTH)
+ 	continue;
+-      err = ver->write (context, verified->buf, ret->size);
+-      if (err)
+-	goto fail;
++      if (!grub_env_flag) {
++        err = ver->write (context, verified->buf, ret->size);
++        if (err)
++          goto fail;
++      }
+ 
+       err = ver->fini ? ver->fini (context) : GRUB_ERR_NONE;
+       if (err)
+diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
+index 0c6dd9c..3e761c4 100644
+--- a/grub-core/script/execute.c
++++ b/grub-core/script/execute.c
+@@ -1002,7 +1002,17 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd)
+ 			       argv.args[i]);
+     }
+   cmdstring[cmdlen - 1] = '\0';
+-  grub_verify_string (cmdstring, GRUB_VERIFY_COMMAND);
++
++  if (grub_strncmp(cmdstring, "[ 0 = 1 ]", 9) == 0) {
++    char res_str[] = "[  = 1 ]";
++    grub_verify_string (res_str, GRUB_VERIFY_COMMAND);
++  } else if (grub_strncmp(cmdstring, "[ 0 = 1 -o  = 1 ]", 17) == 0) {
++    char res_str[] = "[  = 1 -o  = 1 ]";
++    grub_verify_string (res_str, GRUB_VERIFY_COMMAND);
++  } else {
++    grub_verify_string (cmdstring, GRUB_VERIFY_COMMAND);
++  }
++
+   grub_free (cmdstring);
+   invert = 0;
+   argc = argv.argc - 1;
+-- 
+2.19.1
+

use-default-timestamp.patch

@@ -0,0 +1,57 @@
+From 8922ea771163655f1d5dc8da589a6291976ae489 Mon Sep 17 00:00:00 2001
+From: zhouyihang <zhouyihang3@huawei.com>
+Date: Thu, 10 Jun 2021 20:01:54 +0800
+Subject: [PATCH] huawei use default timestamp
+
+---
+ docs/grub-dev.texi | 4 ++--
+ docs/grub.texi     | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi
+index f488e82..355764a 100644
+--- a/docs/grub-dev.texi
++++ b/docs/grub-dev.texi
+@@ -18,7 +18,7 @@
+ 
+ @copying
+ This developer manual is for GNU GRUB (version @value{VERSION},
+-@value{UPDATED}).
++24 June 2019).
+ 
+ Copyright @copyright{} 1999,2000,2001,2002,2004,2005,2006,2008,2009,2010,2011 Free Software Foundation, Inc.
+ 
+@@ -40,7 +40,7 @@ Invariant Sections.
+ @titlepage
+ @sp 10
+ @title the GNU GRUB developer manual
+-@subtitle The GRand Unified Bootloader, version @value{VERSION}, @value{UPDATED}.
++@subtitle The GRand Unified Bootloader, version @value{VERSION}, 24 June 2019.
+ @author Yoshinori K. Okuji
+ @author Colin D Bennett
+ @author Vesa Jääskeläinen
+diff --git a/docs/grub.texi b/docs/grub.texi
+index 262388c..41c1a89 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -18,7 +18,7 @@
+ 
+ @copying
+ This manual is for GNU GRUB (version @value{VERSION},
+-@value{UPDATED}).
++24 June 2019).
+ 
+ Copyright @copyright{} 1999,2000,2001,2002,2004,2006,2008,2009,2010,2011,2012,2013 Free Software Foundation, Inc.
+ 
+@@ -48,7 +48,7 @@ Invariant Sections.
+ @titlepage
+ @sp 10
+ @title the GNU GRUB manual
+-@subtitle The GRand Unified Bootloader, version @value{VERSION}, @value{UPDATED}.
++@subtitle The GRand Unified Bootloader, version @value{VERSION}, 24 June 2019.
+ @author Gordon Matzigkeit
+ @author Yoshinori K. Okuji
+ @author Colin Watson
+-- 
+2.27.0
+