Merge pull request #21928 from medhefgo/boot-meson

meson: Boot

hwdb.d/60-keyboard.hwdb

@@ -569,8 +569,8 @@ evdev:atkbd:dmi:bvn*:bvr*:svnHP*:pnHPElitex21013G3:*
  KEYBOARD_KEY_92=brightnessdown
  KEYBOARD_KEY_97=brightnessup
 
-# HP Laptop15s-eq0xxx
-evdev:atkbd:dmi:bvn*:bvr*:svnHP*:pnHPLaptop15s-eq0*:*
+# HP Laptop 15s-eq0023nl
+evdev:atkbd:dmi:bvn*:bvr*:svnHP*:pnHPLaptop15s-eq0*:sku9MG38EA#ABZ:*
  KEYBOARD_KEY_9d=102nd                                  # Greater than/Less than
 
 # Elitebook

meson_options.txt

@@ -418,8 +418,6 @@ option('dbus', type : 'combo', choices : ['auto', 'true', 'false'],
 
 option('gnu-efi', type : 'combo', choices : ['auto', 'true', 'false'],
        description : 'gnu-efi support for sd-boot')
-option('efi-cc', type : 'array',
-       description : 'the compiler to use for EFI modules')
 # Note that LLD does not support PE/COFF relocations
 # https://lists.llvm.org/pipermail/llvm-dev/2021-March/149234.html
 option('efi-ld', type : 'combo', choices : ['auto', 'bfd', 'gold'],

src/boot/efi/fuzz-bcd.c

@@ -0,0 +1,26 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "alloc-util.h"
+#include "fd-util.h"
+#include "fuzz.h"
+#include "utf8.h"
+
+#include "bcd.c"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+        _cleanup_free_ void *p = NULL;
+
+        /* This limit was borrowed from src/boot/efi/boot.c */
+        if (size > 100*1024)
+                return 0;
+
+        if (!getenv("SYSTEMD_LOG_LEVEL"))
+                log_set_max_level(LOG_CRIT);
+
+        p = memdup(data, size);
+        assert_se(p);
+
+        char16_t *title = get_bcd_title(p, size);
+        assert_se(!title || char16_strlen(title) >= 0);
+        return 0;
+}

src/boot/efi/meson.build

@@ -43,11 +43,7 @@ if not cc.has_header_symbol('efi.h', 'EFI_IMAGE_MACHINE_X64',
         subdir_done()
 endif
 
-objcopy = find_program('objcopy')
-efi_cc = get_option('efi-cc')
-if efi_cc.length() == 0
-        efi_cc = cc.cmd_array()
-endif
+objcopy = run_command(cc.cmd_array(), '-print-prog-name=objcopy', check: true).stdout().strip()
 
 efi_ld = get_option('efi-ld')
 if efi_ld == 'auto'
@@ -62,7 +58,7 @@ efi_libdir = ''
 foreach dir : [get_option('efi-libdir'),
                '/usr/lib/gnuefi' / efi_arch[0],
                run_command('realpath', '-e',
-                        '/usr/lib' / run_command(efi_cc, '-print-multi-os-directory').stdout().strip()).stdout().strip()]
+                        '/usr/lib' / run_command(cc.cmd_array(), '-print-multi-os-directory').stdout().strip()).stdout().strip()]
         if dir != '' and fs.is_dir(dir)
                 efi_libdir = dir
                 break
@@ -275,15 +271,13 @@ if run_command('grep', '-q', '__CTOR_LIST__', efi_lds).returncode() == 0
         ]
 endif
 
-efi_cc_version = run_command(efi_cc, '--version').stdout().split('\n')[0]
-if efi_cc_version.contains('clang') and efi_cc_version.split('.')[0].split(' ')[-1].to_int() <= 10
+if cc.get_id() == 'clang' and cc.version().split('.')[0].to_int() <= 10
         # clang <= 10 doesn't pass -T to the linker and then even complains about it being unused
         efi_ldflags += ['-Wl,-T,' + efi_lds, '-Wno-unused-command-line-argument']
 endif
 
 summary({
         'EFI machine type' :                efi_arch[0],
-        'EFI CC' :                          '@0@'.format(' '.join(efi_cc)),
         'EFI LD' :                          efi_ld,
         'EFI lds' :                         efi_lds,
         'EFI crt0' :                        efi_crt0,
@@ -360,6 +354,9 @@ if efi_arch[1] in ['ia32', 'x86_64', 'arm', 'aarch64']
                  [],
                  'HAVE_ZSTD'],
         ]
+        fuzzers += [
+                [['src/boot/efi/fuzz-bcd.c']],
+        ]
 endif
 
 systemd_boot_objects = []
@@ -368,7 +365,7 @@ foreach file : fundamental_source_paths + common_sources + systemd_boot_sources
         o_file = custom_target(file.split('/')[-1] + '.o',
                                input : file,
                                output : file.split('/')[-1] + '.o',
-                               command : [efi_cc, '-c', '@INPUT@', '-o', '@OUTPUT@', efi_cflags],
+                               command : [cc.cmd_array(), '-c', '@INPUT@', '-o', '@OUTPUT@', efi_cflags],
                                depend_files : efi_headers + fundamental_headers)
         if (fundamental_source_paths + common_sources + systemd_boot_sources).contains(file)
                 systemd_boot_objects += o_file
@@ -389,7 +386,7 @@ foreach tuple : [['systemd_boot.so', systemd_boot_efi_name, systemd_boot_objects
                 tuple[0],
                 input : tuple[2],
                 output : tuple[0],
-                command : [efi_cc, '-o', '@OUTPUT@', efi_ldflags, efi_cflags, tuple[2], '-lefi', '-lgnuefi', '-lgcc'],
+                command : [cc.cmd_array(), '-o', '@OUTPUT@', efi_ldflags, efi_cflags, tuple[2], '-lefi', '-lgnuefi', '-lgcc'],
                 install : tuple[3],
                 install_dir : bootlibdir)
 

src/fundamental/efivars-fundamental.c

@@ -4,6 +4,7 @@
 
 static const sd_char * const table[_SECURE_BOOT_MAX] = {
         [SECURE_BOOT_UNSUPPORTED] = STR_C("unsupported"),
+        [SECURE_BOOT_DISABLED]    = STR_C("disabled"),
         [SECURE_BOOT_UNKNOWN]     = STR_C("unknown"),
         [SECURE_BOOT_AUDIT]       = STR_C("audit"),
         [SECURE_BOOT_DEPLOYED]    = STR_C("deployed"),
@@ -31,6 +32,11 @@ SecureBootMode decode_secure_boot_mode(
         if (!secure && !deployed && !audit && setup)
                 return SECURE_BOOT_SETUP;
 
+        /* Some firmware allows disabling secure boot while not being in
+         * setup mode unless the PK is cleared. */
+        if (!secure && !deployed && !audit && !setup)
+                return SECURE_BOOT_DISABLED;
+
         /* Well, this should not happen. */
         return SECURE_BOOT_UNKNOWN;
 }

src/fundamental/efivars-fundamental.h

@@ -19,6 +19,7 @@
 
 typedef enum SecureBootMode {
         SECURE_BOOT_UNSUPPORTED,
+        SECURE_BOOT_DISABLED,
         SECURE_BOOT_UNKNOWN,
         SECURE_BOOT_AUDIT,
         SECURE_BOOT_DEPLOYED,

tools/oss-fuzz.sh

@@ -36,6 +36,13 @@ else
     apt-get install -y gperf m4 gettext python3-pip \
         libcap-dev libmount-dev libkmod-dev \
         pkg-config wget python3-jinja2
+
+    # gnu-efi is installed here to enable -Dgnu-efi behind which fuzz-bcd
+    # is hidden. It isn't linked against efi. It doesn't
+    # even include "efi.h" because "bcd.c" can work in "unit test" mode
+    # where it isn't necessary.
+    apt-get install -y gnu-efi zstd
+
     pip3 install -r .github/workflows/requirements.txt --require-hashes
 
     # https://github.com/google/oss-fuzz/issues/6868
@@ -43,7 +50,8 @@ else
     export PYTHONPATH="$ORIG_PYTHONPATH:/usr/lib/python3/dist-packages/"
 
     if [[ "$SANITIZER" == undefined ]]; then
-        UBSAN_FLAGS="-fsanitize=pointer-overflow -fno-sanitize-recover=pointer-overflow"
+        additional_ubsan_checks=pointer-overflow,alignment
+        UBSAN_FLAGS="-fsanitize=$additional_ubsan_checks -fno-sanitize-recover=$additional_ubsan_checks"
         CFLAGS="$CFLAGS $UBSAN_FLAGS"
         CXXFLAGS="$CXXFLAGS $UBSAN_FLAGS"
     fi
@@ -56,6 +64,15 @@ fi
 
 ninja -v -C "$build" fuzzers
 
+# Compressed BCD files are kept in test/test-bcd so let's unpack them
+# and put them all in the seed corpus.
+bcd=$(mktemp -d)
+for i in test/test-bcd/*.zst; do
+     unzstd "$i" -o "$bcd/$(basename "${i%.zst}")";
+done
+zip -jqr "$OUT/fuzz-bcd_seed_corpus.zip" "$bcd"
+rm -rf "$bcd"
+
 # The seed corpus is a separate flat archive for each fuzzer,
 # with a fixed name ${fuzzer}_seed_corpus.zip.
 for d in "$(dirname "$0")/../test/fuzz/fuzz-"*; do