697afdea43
NOTE: This cherry-pick also imports the following patches from lbmk master: * a4bc37f12 xhci: configure TT for non-root-hubs * 91130b6d8 xhci: workaround z790 non-root-hub speed detection * 0ce513f44 xhci: fix port indexing * 200404dc3 xHCI: also accept SBRN 0x31 and 0x32 * 8e79cfbb1 grub-core/bus/usb/usbhub: Add xHCI non root hub support These patches are present in the GRUB "xhci" tree, in lbmk. It has been decided that these should be included, as part of the Libreboot20241206rev10 release. NOTE: This also includes the following lbmk changes: *66d084e7f7grub.cfg: scan luks *inside lvm* *5a3b0dab96grub.cfg: Scan *every* LVM device You can find information about the security patches here: https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html GRUB has been on a crusade as of late, to proactively audit and fix many security vulnerabilities. This lbmk change brings in a comprehensive series of patches that fix bugs ranging from possible buffer overflows, use-after frees, null derefs and so on. These changes are critical, so a revision release *will* be issued, for the Libreboot20241206release series. This change imports the following 73 patches which are present on the upstream GRUB repository (commit IDs matched to upstream): * 4dc616657 loader/i386/bsd: Use safe math to avoid underflow * 490a6ab71 loader/i386/linux: Cast left shift to grub_uint32_t * a8d6b0633 kern/misc: Add sanity check after grub_strtoul() call * 8e6e87e79 kern/partition: Add sanity check after grub_strtoul() call * 5b36a5210 normal/menu: Use safe math to avoid an integer overflow * 9907d9c27 bus/usb/ehci: Define GRUB_EHCI_TOGGLE as grub_uint32_t * f8795cde2 misc: Ensure consistent overflow error messages * 66733f7c7 osdep/unix/getroot: Fix potential underflow * d13b6e8eb script/execute: Fix potential underflow and NULL dereference * e3c578a56 fs/sfs: Check if allocated memory is NULL * 1c06ec900 net: Check if returned pointer for allocated memory is NULL * dee2c14fd net: Prevent overflows when allocating memory for arrays * 4beeff8a3 net: Use safe math macros to prevent overflows * dd6a4c8d1 fs/zfs: Add missing NULL check after grub_strdup() call * 13065f69d fs/zfs: Check if returned pointer for allocated memory is NULL * 7f38e32c7 fs/zfs: Prevent overflows when allocating memory for arrays * 88e491a0f fs/zfs: Use safe math macros to prevent overflows * cde9f7f33 fs: Prevent overflows when assigning returned values from read_number() * 84bc0a9a6 fs: Prevent overflows when allocating memory for arrays * 6608163b0 fs: Use safe math macros to prevent overflows * fbaddcca5 disk/ieee1275/ofdisk: Call grub_ieee1275_close() when grub_malloc() fails * 33bd6b5ac disk: Check if returned pointer for allocated memory is NULL * d8151f983 disk: Prevent overflows when allocating memory for arrays * c407724da disk: Use safe math macros to prevent overflows * c4bc55da2 fs: Disable many filesystems under lockdown * 26db66050 fs/bfs: Disable under lockdown * 5f31164ae commands/hexdump: Disable memory reading in lockdown mode * 340e4d058 commands/memrw: Disable memory reading in lockdown mode * 34824806a commands/minicmd: Block the dump command in lockdown mode * c68b7d236 commands/test: Stack overflow due to unlimited recursion depth * dad8f5029 commands/read: Fix an integer overflow when supplying more than 2^31 characters * b970a5ed9 gettext: Integer overflow leads to heap OOB write * 09bd6eb58 gettext: Integer overflow leads to heap OOB write or read * 7580addfc gettext: Remove variables hooks on module unload * 9c1619773 normal: Remove variables hooks on module unload * 2123c5bca commands/pgp: Unregister the "check_signatures" hooks on module unload * 0bf56bce4 commands/ls: Fix NULL dereference * 05be856a8 commands/extcmd: Missing check for failed allocation * 98ad84328 kern/dl: Check for the SHF_INFO_LINK flag in grub_dl_relocate_symbols() * d72208423 kern/dl: Use correct segment in grub_dl_set_mem_attrs() * 500e5fdd8 kern/dl: Fix for an integer overflow in grub_dl_ref() * 2c34af908 video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG * 0707accab net/tftp: Fix stack buffer overflow in tftp_open() * 5eef88152 net: Fix OOB write in grub_net_search_config_file() * aa8b4d7fa net: Remove variables hooks when interface is unregisted * a1dd8e59d net: Unregister net_default_ip and net_default_mac variables hooks on unload * d8a937cca script/execute: Limit the recursion depth * 8a7103fdd kern/partition: Limit recursion in part_iterate() * 18212f064 kern/disk: Limit recursion depth * 67f70f70a disk/loopback: Reference tracking for the loopback * 13febd78d disk/cryptodisk: Require authentication after TPM unlock for CLI access * 16f196874 kern/file: Implement filesystem reference counting * a79106872 kern/file: Ensure file->data is set * d1d6b7ea5 fs/xfs: Ensuring failing to mount sets a grub_errno * 6ccc77b59 fs/xfs: Fix out-of-bounds read * 067b6d225 fs/ntfs: Implement attribute verification * 048777bc2 fs/ntfs: Use a helper function to access attributes * 237a71184 fs/ntfs: Track the end of the MFT attribute buffer * aff263187 fs/ntfs: Fix out-of-bounds read * 7e2f750f0 fs/ext2: Fix out-of-bounds read for inline extents * edd995a26 fs/jfs: Inconsistent signed/unsigned types usage in return values * bd999310f fs/jfs: Use full 40 bits offset and address for a data extent * ab09fd053 fs/jfs: Fix OOB read caused by invalid dir slot index * 66175696f fs/jfs: Fix OOB read in jfs_getent() * 1443833a9 fs/iso9660: Fix invalid free * 965db5970 fs/iso9660: Set a grub_errno if mount fails * f7c070a2e fs/hfsplus: Set a grub_errno if mount fails * 563436258 fs/f2fs: Set a grub_errno if mount fails * 0087bc690 fs/tar: Integer overflow leads to heap OOB write * 2c8ac08c9 fs/tar: Initialize name in grub_cpio_find_file() * 417547c10 fs/hfs: Fix stack OOB write with grub_strcpy() * c1a291b01 fs/ufs: Fix a heap OOB write * ea703528a misc: Implement grub_strlcpy() Signed-off-by: Leah Rowe <leah@libreboot.org>
Libreboot
Find libreboot documentation at https://libreboot.org/
The libreboot project provides
libre boot
firmware that initializes the hardware (e.g. memory controller, CPU,
peripherals) on specific Intel/AMD x86 and ARM targets, which
then starts a bootloader for your operating system. Linux/BSD are
well-supported. It replaces proprietary BIOS/UEFI firmware. Help is available
via #libreboot IRC
on Libera IRC.
Why use Libreboot?
Why should you use libreboot?
Libreboot gives you freedoms that you otherwise can't get with most other boot firmware. It's extremely powerful and configurable for many use cases.
You have rights. The right to privacy, freedom of thought, freedom of speech and the right to read. In this context, Libreboot gives you these rights. Your freedom matters. Right to repair matters. Many people use proprietary (non-libre) boot firmware, even if they use a libre OS. Proprietary firmware often contains backdoors (more info on the FAQ), and it and can be buggy. The libreboot project was founded in December 2013, with the express purpose of making coreboot firmware accessible for non-technical users.
The libreboot project uses coreboot for hardware
initialisation.
Coreboot is notoriously difficult to install for most non-technical users; it
handles only basic initialization and jumps to a separate
payload program (e.g.
GRUB,
Tianocore), which must also be configured.
The libreboot software solves this problem; it is a coreboot distribution with
an automated build system (named lbmk) that builds complete ROM images, for
more robust installation. Documentation is provided.
How does Libreboot differ from coreboot?
In the same way that Debian is a GNU+Linux distribution, libreboot is
a coreboot distribution. If you want to build a ROM image from scratch, you
otherwise have to perform expert-level configuration of coreboot, GRUB and
whatever other software you need, to prepare the ROM image. With libreboot,
you can literally download from Git or a source archive, and run make, and it
will build entire ROM images. An automated build system, named lbmk
(Libreboot MaKe), builds these ROM images automatically, without any user input
or intervention required. Configuration has already been performed in advance.
If you were to build regular coreboot, without using libreboot's automated build system, it would require a lot more intervention and decent technical knowledge to produce a working configuration.
Regular binary releases of libreboot provide these
ROM images pre-compiled, and you can simply install them, with no special
knowledge or skill except the ability to follow installation instructions
and run commands BSD/Linux.
Project goals
- Support as much hardware as possible! Libreboot aims to eventually have maintainers for every board supported by coreboot, at every point in time.
- Make coreboot easy to use. Coreboot is notoriously difficult to install, due to an overall lack of user-focused documentation and support. Most people will simply give up before attempting to install coreboot. Libreboot's automated build system and user-friendly installation instructions solves this problem.
Libreboot attempts to bridge this divide by providing a build system automating much of the coreboot image creation and customization. Secondly, the project produces documentation aimed at non-technical users. Thirdly, the project attempts to provide excellent user support via IRC.
Libreboot already comes with a payload (GRUB), flashprog and other needed parts. Everything is fully integrated, in a way where most of the complicated steps that are otherwise required, are instead done for the user in advance.
You can download ROM images for your libreboot system and install them without having to build anything from source. If, however, you are interested in building your own image, the build system makes it relatively easy to do so.
Not a coreboot fork!
Libreboot is not a fork of coreboot. Every so often, the project re-bases on the latest version of coreboot, with the number of custom patches in use minimized. Tested, stable (static) releases are then provided in Libreboot, based on specific coreboot revisions.
How to help
You can check bugs listed on the bug tracker.
If you spot a bug and have a fix, the website has instructions for how to send patches, and you can also report it. Also, this entire website is written in Markdown and hosted in a separate repository where you can send patches.
Any and all development discussion and user support are all done on the IRC channel. More information is on https://libreboot.org/contact.html.
LICENSE FOR THIS README
It's just a README file. This README file is released under the terms of the Creative Commons Zero license, version 1.0 of the license, which you can read here:
https://creativecommons.org/publicdomain/zero/1.0/legalcode.txt