2 files changed, 76 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-56738.patch b/meta/recipes-bsp/grub/files/CVE-2024-56738.patch
new file mode 100644
index 0000000000..c7b64aa6ed
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2024-56738.patch
@@ -0,0 +1,75 @@
+From 4cef2fc7308b2132317ad166939994f098b41561 Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@arm.com>
+Date: Tue, 9 Sep 2025 14:23:14 +0100
+Subject: [PATCH] CVE-2024-56738
+Backport an algorithmic change to grub_crypto_memcmp() so that it completes in
+constant time and thus isn't susceptible to side-channel attacks.
+This is a partial backport of grub 0739d24cd
+("libgcrypt: Adjust import script, definitions and API users for libgcrypt 1.11")
+CVE: CVE-2024-56738
+Upstream-Status: Backport [0739d24cd]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ grub-core/lib/crypto.c | 23 ++++++++++++++++-------
+ include/grub/crypto.h  |  2 +-
+ 2 files changed, 17 insertions(+), 8 deletions(-)
+diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c
+index 396f76410..19db7870a 100644
+--- a/grub-core/lib/crypto.c
+++ b/grub-core/lib/crypto.c
+@@ -433,19 +433,28 @@ grub_crypto_gcry_error (gcry_err_code_t in)
+   return GRUB_ACCESS_DENIED;
+ }
+ 
+/*
+ * Compare byte arrays of length LEN, return 1 if it's not same,
+ * 0, otherwise.
+ */
+ int
+-grub_crypto_memcmp (const void *a, const void *b, grub_size_t n)
+grub_crypto_memcmp (const void *b1, const void *b2, grub_size_t len)
+ {
+-  register grub_size_t counter = 0;
+-  const grub_uint8_t *pa, *pb;
+  const grub_uint8_t *a = b1;
+  const grub_uint8_t *b = b2;
+  int ab, ba;
+  grub_size_t i;
+ 
+-  for (pa = a, pb = b; n; pa++, pb++, n--)
+  /* Constant-time compare. */
+  for (i = 0, ab = 0, ba = 0; i < len; i++)
+     {
+-      if (*pa != *pb)
+-       counter++;
+      /* If a[i] != b[i], either ab or ba will be negative. */
+      ab |= a[i] - b[i];
+      ba |= b[i] - a[i];
+     }
+ 
+-  return !!counter;
+  /* 'ab | ba' is negative when buffers are not equal, extract sign bit.  */
+  return ((unsigned int)(ab | ba) >> (sizeof(unsigned int) * 8 - 1)) & 1;
+ }
+ 
+ #ifndef GRUB_UTIL
+diff --git a/include/grub/crypto.h b/include/grub/crypto.h
+index 31c87c302..20ad4c5f7 100644
+--- a/include/grub/crypto.h
+++ b/include/grub/crypto.h
+@@ -393,7 +393,7 @@ grub_crypto_pbkdf2 (const struct gcry_md_spec *md,
+                    grub_uint8_t *DK, grub_size_t dkLen);
+ 
+ int
+-grub_crypto_memcmp (const void *a, const void *b, grub_size_t n);
+grub_crypto_memcmp (const void *b1, const void *b2, grub_size_t len);
+ 
+ int
+ grub_password_get (char buf[], unsigned buf_size);
+-- 
+2.43.0
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 7c83febaa2..fd671d88ad 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -37,6 +37,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
           file://CVE-2024-45778_CVE-2024-45779.patch \
           file://CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch \
           file://CVE-2025-0678_CVE-2025-1125.patch \
+           file://CVE-2024-56738.patch \
 "
 SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"

diff --git a/meta/recipes-bsp/grub/files/CVE-2024-56738.patch b/meta/recipes-bsp/grub/files/CVE-2024-56738.patch new file mode 100644 index 0000000000..c7b64aa6ed --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2024-56738.patch
@@ -0,0 +1,75 @@
		1	From 4cef2fc7308b2132317ad166939994f098b41561 Mon Sep 17 00:00:00 2001
		2	From: Ross Burton <ross.burton@arm.com>
		3	Date: Tue, 9 Sep 2025 14:23:14 +0100
		4	Subject: [PATCH] CVE-2024-56738
		5
		6	Backport an algorithmic change to grub_crypto_memcmp() so that it completes in
		7	constant time and thus isn't susceptible to side-channel attacks.
		8
		9	This is a partial backport of grub 0739d24cd
		10	("libgcrypt: Adjust import script, definitions and API users for libgcrypt 1.11")
		11
		12	CVE: CVE-2024-56738
		13	Upstream-Status: Backport [0739d24cd]
		14	Signed-off-by: Ross Burton <ross.burton@arm.com>
		15	---
		16	grub-core/lib/crypto.c \| 23 ++++++++++++++++-------
		17	include/grub/crypto.h \| 2 +-
		18	2 files changed, 17 insertions(+), 8 deletions(-)
		19
		20	diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c
		21	index 396f76410..19db7870a 100644
		22	--- a/grub-core/lib/crypto.c
		23	+++ b/grub-core/lib/crypto.c
		24	@@ -433,19 +433,28 @@ grub_crypto_gcry_error (gcry_err_code_t in)
		25	return GRUB_ACCESS_DENIED;
		26	}
		27
		28	+/*
		29	+ * Compare byte arrays of length LEN, return 1 if it's not same,
		30	+ * 0, otherwise.
		31	+ */
		32	int
		33	-grub_crypto_memcmp (const void a, const void b, grub_size_t n)
		34	+grub_crypto_memcmp (const void b1, const void b2, grub_size_t len)
		35	{
		36	- register grub_size_t counter = 0;
		37	- const grub_uint8_t pa, pb;
		38	+ const grub_uint8_t *a = b1;
		39	+ const grub_uint8_t *b = b2;
		40	+ int ab, ba;
		41	+ grub_size_t i;
		42
		43	- for (pa = a, pb = b; n; pa++, pb++, n--)
		44	+ /* Constant-time compare. */
		45	+ for (i = 0, ab = 0, ba = 0; i < len; i++)
		46	{
		47	- if (pa != pb)
		48	- counter++;
		49	+ /* If a[i] != b[i], either ab or ba will be negative. */
		50	+ ab \|= a[i] - b[i];
		51	+ ba \|= b[i] - a[i];
		52	}
		53
		54	- return !!counter;
		55	+ /* 'ab \| ba' is negative when buffers are not equal, extract sign bit. */
		56	+ return ((unsigned int)(ab \| ba) >> (sizeof(unsigned int) * 8 - 1)) & 1;
		57	}
		58
		59	#ifndef GRUB_UTIL
		60	diff --git a/include/grub/crypto.h b/include/grub/crypto.h
		61	index 31c87c302..20ad4c5f7 100644
		62	--- a/include/grub/crypto.h
		63	+++ b/include/grub/crypto.h
		64	@@ -393,7 +393,7 @@ grub_crypto_pbkdf2 (const struct gcry_md_spec *md,
		65	grub_uint8_t *DK, grub_size_t dkLen);
		66
		67	int
		68	-grub_crypto_memcmp (const void a, const void b, grub_size_t n);
		69	+grub_crypto_memcmp (const void b1, const void b2, grub_size_t len);
		70
		71	int
		72	grub_password_get (char buf[], unsigned buf_size);
		73	--
		74	2.43.0
		75


diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 7c83febaa2..fd671d88ad 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc
@@ -37,6 +37,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
37	file://CVE-2024-45778_CVE-2024-45779.patch \	37	file://CVE-2024-45778_CVE-2024-45779.patch \
38	file://CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch \	38	file://CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch \
39	file://CVE-2025-0678_CVE-2025-1125.patch \	39	file://CVE-2025-0678_CVE-2025-1125.patch \
		40	file://CVE-2024-56738.patch \
40	"	41	"
41		42
42	SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"	43	SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"