Stop having this problem and just copy over the beta tree

Resolves: rhbz#2006784
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
This commit is contained in:
Robbie Harwood 2022-01-04 20:33:19 +00:00
parent 0b61fb6968
commit 161ae8daaf
4 changed files with 152 additions and 48 deletions

View File

@ -74,6 +74,7 @@
%global emuarch %{_arch}
%global grubefiarch %{nil}
%global grublegacyarch %{nil}
%global grubelfname %{nil}
# sparc is always compiled 64 bit
%ifarch %{sparc}
@ -113,11 +114,20 @@
%{!?with_efi_only:%global without_efi_only 0}
%{?with_efi_only:%global without_efi_only 1}
### fixme
%ifarch %{efi_arch}
%global efi_modules " efi_netfs efifwsetup efinet lsefi lsefimmap "
%endif
%ifarch x86_64 %{ix86}
%global platform_modules " backtrace chain tpm usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard "
%endif
%ifarch ppc64le
%global platform_modules " appendedsig "
%endif
%ifarch aarch64 %{arm} riscv64
%global efi_modules " "
%else
%global efi_modules " backtrace chain tpm usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard "
%global platform_modules " "
%endif
%ifarch aarch64 %{arm} riscv64
@ -217,6 +227,7 @@
%global with_legacy_arch 1
%global grublegacyarch %{legacy_target_cpu_name}-%{platform}
%global moduledir %{legacy_target_cpu_name}-%{platform}
%global grubelfname core.elf
%endif
%global evr %{epoch}:%{version}-%{release}
@ -378,55 +389,98 @@ install -m 644 %{1}.conf ${RPM_BUILD_ROOT}/etc/dnf/protected.d/ \
rm -f %{1}.conf \
%{nil}
%global grub_modules " all_video boot blscfg btrfs \\\
cat configfile cryptodisk \\\
echo ext2 f2fs fat font \\\
gcry_rijndael gcry_rsa gcry_serpent \\\
gcry_sha256 gcry_twofish gcry_whirlpool \\\
gfxmenu gfxterm gzio \\\
halt hfsplus http increment iso9660 \\\
jpeg loadenv loopback linux lvm luks \\\
luks2 mdraid09 mdraid1x minicmd net \\\
normal part_apple part_msdos part_gpt \\\
password_pbkdf2 pgp png reboot regexp \\\
search search_fs_uuid search_fs_file \\\
search_label serial sleep syslinuxcfg \\\
test tftp version video xfs zstd " \
%ifarch x86_64 aarch64 %{arm} riscv64
%define mkimage() \
%define efi_mkimage() \
%{4}./grub-mkimage -O %{1} -o %{2}.orig \\\
-p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES} \\\
--sbat %{4}./sbat.csv \
-p /EFI/%{efi_vendor} -d grub-core \\\
--sbat %{4}./sbat.csv \\\
${GRUB_MODULES} \
%{4}./grub-mkimage -O %{1} -o %{3}.orig \\\
-p /EFI/BOOT -d grub-core ${GRUB_MODULES} \\\
--sbat %{4}./sbat.csv \
-p /EFI/BOOT -d grub-core \\\
--sbat %{4}./sbat.csv \\\
${GRUB_MODULES} \
%{expand:%%define ___pesign_client_cert %{?___pesign_client_cert}%{!?___pesign_client_cert:%{__pesign_client_cert}}} \
%{?__pesign_client_cert:%{expand:%%define __pesign_client_cert %{___pesign_client_cert}}} \
%{expand:%%{pesign -s -i %%{2}.orig -o %%{2}.onesig -a %%{5} -c %%{6} -n %%{7}}} \
%{expand:%%{pesign -s -i %%{3}.orig -o %%{3}.onesig -a %%{5} -c %%{6} -n %%{7}}} \
%{expand:%%define __pesign_client_cert %{name}-signer} \
%{expand:%%{pesign -s -i %%{2}.onesig -o %%{2} -a %%{5} -c %%{6} -n %%{7}}} \
%{expand:%%{pesign -s -i %%{3}.onesig -o %%{3} -a %%{5} -c %%{6} -n %%{7}}} \
%{expand:%%{pesign -s -i %%{2}.onesig -o %%{2} -a %%{8} -c %%{9} -n %%{10}}} \
%{expand:%%{pesign -s -i %%{3}.onesig -o %%{3} -a %%{8} -c %%{9} -n %%{10}}} \
%{nil}
%else
%define mkimage() \
%define efi_mkimage() \
%{4}./grub-mkimage -O %{1} -o %{2} \\\
-p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES} \
-p /EFI/%{efi_vendor} -d grub-core \\\
${GRUB_MODULES} \
%{4}./grub-mkimage -O %{1} -o %{3} \\\
-p /EFI/BOOT -d grub-core ${GRUB_MODULES} \
-p /EFI/BOOT -d grub-core \\\
${GRUB_MODULES} \
%{nil}
%endif
%ifarch ppc64le
%define ieee1275_mkimage() \
APPENDED_SIG_SIZE=0 \
if [ -x /usr/bin/rpm-sign ]; then \
touch empty.unsigned \
rpm-sign --key %{5} \\\
--lkmsign empty.unsigned \\\
--output empty.signed \
APPENDED_SIG_SIZE="$(stat -c '%s' empty.signed)" \
rm empty.{un,}signed \
fi \
# FIXME: using this prefix is fragile, must be done properly \
./grub-mkimage -O %{1} -o %{2}.orig \\\
-p '/grub2' -d grub-core \\\
-x %{3} -x %{4} \\\
--appended-signature-size ${APPENDED_SIG_SIZE} \\\
${GRUB_MODULES} \
if [ -x /usr/bin/rpm-sign ]; then \
truncate -s -${APPENDED_SIG_SIZE} %{2}.orig \
rpm-sign --key %{5} \\\
--lkmsign %{2}.orig \\\
--output %{2} \
else \
mv %{2}.orig %{2} \
fi \
%{nil}
%endif
%define do_efi_build_images() \
GRUB_MODULES=" all_video boot blscfg btrfs \\\
cat configfile cryptodisk \\\
echo efi_netfs efifwsetup efinet ext2 f2fs \\\
fat font gcry_rijndael gcry_rsa gcry_serpent \\\
gcry_sha256 gcry_twofish gcry_whirlpool \\\
gfxmenu gfxterm gzio \\\
halt hfsplus http increment iso9660 jpeg \\\
loadenv loopback linux lvm lsefi lsefimmap luks \\\
luks2 mdraid09 mdraid1x minicmd net \\\
normal part_apple part_msdos part_gpt \\\
password_pbkdf2 pgp png reboot \\\
regexp search search_fs_uuid search_fs_file \\\
search_label serial sleep syslinuxcfg test tftp \\\
version video xfs zstd " \
GRUB_MODULES+=%{grub_modules} \
GRUB_MODULES+=%{efi_modules} \
%{expand:%%{mkimage %{1} %{2} %{3} %{4}}} \
GRUB_MODULES+=%{platform_modules} \
%{expand:%%{efi_mkimage %{1} %{2} %{3} %{4} %{5} %{6} %{7} %{8} %{9} %{10}}} \
%{nil}
%define do_ieee1275_build_images() \
GRUB_MODULES+=%{grub_modules} \
GRUB_MODULES+=%{platform_modules} \
cd grub-%{1}-%{tarversion} \
%{expand:%%ieee1275_mkimage %%{1} %%{2} %%{3} %%{4} %%{5}} \
cd .. \
%{nil}
%define do_primary_efi_build() \
cd grub-%{1}-%{tarversion} \
%{expand:%%do_efi_configure %%{4} %%{5} %%{6}} \
%do_efi_build_all \
%{expand:%%do_efi_build_images %{grub_target_name} %{2} %{3} ./ } \
%{expand:%%do_efi_build_images %{grub_target_name} %{2} %{3} ./ %{7} %{8} %{9} %{10} %{11} %{12}} \
cd .. \
%{nil}
@ -435,7 +489,7 @@ cd grub-%{1}-%{tarversion} \
%{expand:%%do_efi_configure %%{4} %%{5} %%{6}} \
%do_efi_build_modules \
%{expand:%%do_efi_link_utils %{grubefiarch}} \
%{expand:%%do_efi_build_images %{alt_grub_target_name} %{2} %{3} ../grub-%{grubefiarch}-%{tarversion}/ } \
%{expand:%%do_efi_build_images %{alt_grub_target_name} %{2} %{3} ../grub-%{grubefiarch}-%{tarversion}/ %{7} %{8} %{9} %{10} %{11} %{12}} \
cd .. \
%{nil}
@ -534,6 +588,9 @@ fi \
if [ -f $RPM_BUILD_ROOT%{_infodir}/grub-dev.info ]; then \
rm -f $RPM_BUILD_ROOT%{_infodir}/grub-dev.info \
fi \
%{expand:%ifarch ppc64le \
install -m 700 %{grubelfname} $RPM_BUILD_ROOT/%{_libdir}/grub/%{1} \
%endif} \
if [ -f $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/%{name}.chrp ]; then \
mv $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/%{name}.chrp \\\
$RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/%{name}.chrp \
@ -593,12 +650,19 @@ ln -s ../boot/%{name}/grub.cfg \\\
%ghost %config(noreplace) /boot/%{name}/grub.cfg \
%dir %attr(0700,root,root)/boot/loader/entries \
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \
%ifarch ppc64le \
%dir %{_libdir}/grub/%{2}/ \
%{_libdir}/grub/%{2}/%{grubelfname} \
%endif \
\
%{expand:%if 0%{?with_legacy_modules} \
%{expand:%%files %{1}-modules} \
%defattr(-,root,root) \
%dir %{_libdir}/grub/%{2}/ \
%{_libdir}/grub/%{2}/* \
%ifarch ppc64le \
%exclude %{_libdir}/grub/%{2}/%{grubelfname} \
%endif \
%exclude %{_libdir}/grub/%{2}/*.module \
%exclude %{_libdir}/grub/%{2}/{boot,boot_hybrid,cdboot,diskboot,lzma_decompress,pxeboot}.image \
%exclude %{_libdir}/grub/%{2}/*.o \

View File

@ -14,7 +14,7 @@
Name: grub2
Epoch: 1
Version: 2.06
Release: 15%{?dist}
Release: 16%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more
License: GPLv3+
URL: http://www.gnu.org/software/grub/
@ -36,9 +36,26 @@ Source13: redhatsecurebootca3.cer
Source14: redhatsecureboot301.cer
Source15: redhatsecurebootca5.cer
Source16: redhatsecureboot502.cer
Source17: redhatsecureboot303.cer
Source18: redhatsecureboot601.cer
%include %{SOURCE1}
%if 0%{with_efi_arch}
%define old_sb_ca %{SOURCE13}
%define old_sb_cer %{SOURCE14}
%define old_sb_key redhatsecureboot301
%define sb_ca %{SOURCE15}
%define sb_cer %{SOURCE16}
%define sb_key redhatsecureboot502
%endif
%ifarch ppc64le
%define old_sb_cer %{SOURCE17}
%define sb_cer %{SOURCE18}
%define sb_key redhatsecureboot602
%endif
BuildRequires: gcc efi-srpm-macros
BuildRequires: flex bison binutils python3
BuildRequires: ncurses-devel xz-devel bzip2-devel
@ -53,7 +70,7 @@ BuildRequires: help2man
# For %%_userunitdir macro
BuildRequires: systemd
%ifarch %{efi_arch}
BuildRequires: pesign >= 113-21
BuildRequires: pesign >= 0.99-8
%endif
%if %{?_with_ccache: 1}%{?!_with_ccache: 0}
BuildRequires: ccache
@ -196,10 +213,10 @@ git commit -m "After making subdirs"
%build
%if 0%{with_efi_arch}
%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502}
%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{old_sb_ca} %{old_sb_cer} %{old_sb_key} %{sb_ca} %{sb_cer} %{sb_key}}
%endif
%if 0%{with_alt_efi_arch}
%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502}
%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{old_sb_ca} %{old_sb_cer} %{old_sb_key} %{sb_ca} %{sb_cer} %{sb_key}}
%endif
%if 0%{with_legacy_arch}
%{expand:%do_legacy_build %%{grublegacyarch}}
@ -207,6 +224,9 @@ git commit -m "After making subdirs"
%if 0%{with_emu_arch}
%{expand:%do_emu_build}
%endif
%ifarch ppc64le
%{expand:%do_ieee1275_build_images %%{grublegacyarch} %{grubelfname} %{old_sb_cer} %{sb_cer} %{sb_key}}
%endif
makeinfo --info --no-split -I docs -o docs/grub-dev.info \
docs/grub-dev.texi
makeinfo --info --no-split -I docs -o docs/grub.info \
@ -527,29 +547,49 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
%endif
%changelog
* Tue Jan 04 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-15
- Sync with beta for signing changes
* Tue Jan 04 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-16
- Stop having this problem and just copy over the beta tree
- Resolves: rhbz#2006784
* Tue Dec 21 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-14
- Rebuild for signing; no code changes
- Resolves: rhbz#2006784
* Mon Oct 25 2021 Robbie Harwood <rharwood@redhat.com>
- powerpc-ieee1275: load grub at 4MB, not 2MB
Related: rhbz#1873860
* Fri Nov 19 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-13
- Rebuild for gating; no code changes
- Resolves: rhbz#2006784
* Tue Oct 12 2021 Robbie Harwood <rharwood@redhat.com>
- Print out module name on license check failure
Related: rhbz#1873860
* Tue Oct 26 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-12
- Sync with beta changes (version jump because our process is bad)
Resolves: rhbz#2006784
* Thu Oct 07 2021 pjones <pjones@redhat.com>
- Hopefully make "grub2-mkimage --appended-signature-size=" actually work.
Related: rhbz#1873860
* Thu Oct 07 2021 Peter Jones <pjones@redhat.com> - 2.06-8
- Attempt once more to fix signatures on ppc64le
Related: rhbz#1873860
* Tue Oct 05 2021 Peter Jones <pjones@redhat.com> - 2.06-7
- Fix signatures on ppc64le
Related: rhbz#1951104
* Tue Oct 05 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-6
- Fix booting with XFSv4 partitions
Resolves: rhbz#2006993
* Thu Sep 30 2021 Peter Jones <pjones@redhat.com> - 2.06-5
- Rebuild for correct signatures once more.
Resolves: rhbz#1976771
* Thu Sep 30 2021 Peter Jones <pjones@redhat.com> - 2.06-4
- Rebuild for correct signatures
Resolves: rhbz#1976771
* Mon Sep 27 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-3
- Rebuild for gating + rpminspect
Resolves: rhbz#2006784
Resolves: rhbz#1976771
* Wed Sep 22 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-2
- Rebuild because our CI infrastructure doesn't work right
Resolves: rhbz#2006784
Resolves: rhbz#1976771
* Tue Aug 31 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.06-1
- Update to 2.06 final release and ton of fixes

BIN
redhatsecureboot303.cer Normal file

Binary file not shown.

BIN
redhatsecureboot601.cer Normal file

Binary file not shown.