From 161ae8daafb07612f7fd7cf2e0ec3689b5c90442 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 4 Jan 2022 20:33:19 +0000 Subject: [PATCH] Stop having this problem and just copy over the beta tree Resolves: rhbz#2006784 Signed-off-by: Robbie Harwood --- grub.macros | 126 ++++++++++++++++++++++++++++++---------- grub2.spec | 74 +++++++++++++++++------ redhatsecureboot303.cer | Bin 0 -> 899 bytes redhatsecureboot601.cer | Bin 0 -> 916 bytes 4 files changed, 152 insertions(+), 48 deletions(-) create mode 100644 redhatsecureboot303.cer create mode 100644 redhatsecureboot601.cer diff --git a/grub.macros b/grub.macros index 5863037..168223f 100644 --- a/grub.macros +++ b/grub.macros @@ -74,6 +74,7 @@ %global emuarch %{_arch} %global grubefiarch %{nil} %global grublegacyarch %{nil} +%global grubelfname %{nil} # sparc is always compiled 64 bit %ifarch %{sparc} @@ -113,11 +114,20 @@ %{!?with_efi_only:%global without_efi_only 0} %{?with_efi_only:%global without_efi_only 1} -### fixme +%ifarch %{efi_arch} +%global efi_modules " efi_netfs efifwsetup efinet lsefi lsefimmap " +%endif + +%ifarch x86_64 %{ix86} +%global platform_modules " backtrace chain tpm usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard " +%endif + +%ifarch ppc64le +%global platform_modules " appendedsig " +%endif + %ifarch aarch64 %{arm} riscv64 -%global efi_modules " " -%else -%global efi_modules " backtrace chain tpm usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard " +%global platform_modules " " %endif %ifarch aarch64 %{arm} riscv64 @@ -217,6 +227,7 @@ %global with_legacy_arch 1 %global grublegacyarch %{legacy_target_cpu_name}-%{platform} %global moduledir %{legacy_target_cpu_name}-%{platform} +%global grubelfname core.elf %endif %global evr %{epoch}:%{version}-%{release} @@ -378,55 +389,98 @@ install -m 644 %{1}.conf ${RPM_BUILD_ROOT}/etc/dnf/protected.d/ \ rm -f %{1}.conf \ %{nil} +%global grub_modules " all_video boot blscfg btrfs \\\ + cat configfile cryptodisk \\\ + echo ext2 f2fs fat font \\\ + gcry_rijndael gcry_rsa gcry_serpent \\\ + gcry_sha256 gcry_twofish gcry_whirlpool \\\ + gfxmenu gfxterm gzio \\\ + halt hfsplus http increment iso9660 \\\ + jpeg loadenv loopback linux lvm luks \\\ + luks2 mdraid09 mdraid1x minicmd net \\\ + normal part_apple part_msdos part_gpt \\\ + password_pbkdf2 pgp png reboot regexp \\\ + search search_fs_uuid search_fs_file \\\ + search_label serial sleep syslinuxcfg \\\ + test tftp version video xfs zstd " \ + %ifarch x86_64 aarch64 %{arm} riscv64 -%define mkimage() \ +%define efi_mkimage() \ %{4}./grub-mkimage -O %{1} -o %{2}.orig \\\ - -p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES} \\\ - --sbat %{4}./sbat.csv \ + -p /EFI/%{efi_vendor} -d grub-core \\\ + --sbat %{4}./sbat.csv \\\ + ${GRUB_MODULES} \ %{4}./grub-mkimage -O %{1} -o %{3}.orig \\\ - -p /EFI/BOOT -d grub-core ${GRUB_MODULES} \\\ - --sbat %{4}./sbat.csv \ + -p /EFI/BOOT -d grub-core \\\ + --sbat %{4}./sbat.csv \\\ + ${GRUB_MODULES} \ %{expand:%%define ___pesign_client_cert %{?___pesign_client_cert}%{!?___pesign_client_cert:%{__pesign_client_cert}}} \ %{?__pesign_client_cert:%{expand:%%define __pesign_client_cert %{___pesign_client_cert}}} \ %{expand:%%{pesign -s -i %%{2}.orig -o %%{2}.onesig -a %%{5} -c %%{6} -n %%{7}}} \ %{expand:%%{pesign -s -i %%{3}.orig -o %%{3}.onesig -a %%{5} -c %%{6} -n %%{7}}} \ %{expand:%%define __pesign_client_cert %{name}-signer} \ -%{expand:%%{pesign -s -i %%{2}.onesig -o %%{2} -a %%{5} -c %%{6} -n %%{7}}} \ -%{expand:%%{pesign -s -i %%{3}.onesig -o %%{3} -a %%{5} -c %%{6} -n %%{7}}} \ +%{expand:%%{pesign -s -i %%{2}.onesig -o %%{2} -a %%{8} -c %%{9} -n %%{10}}} \ +%{expand:%%{pesign -s -i %%{3}.onesig -o %%{3} -a %%{8} -c %%{9} -n %%{10}}} \ %{nil} %else -%define mkimage() \ +%define efi_mkimage() \ %{4}./grub-mkimage -O %{1} -o %{2} \\\ - -p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES} \ + -p /EFI/%{efi_vendor} -d grub-core \\\ + ${GRUB_MODULES} \ %{4}./grub-mkimage -O %{1} -o %{3} \\\ - -p /EFI/BOOT -d grub-core ${GRUB_MODULES} \ + -p /EFI/BOOT -d grub-core \\\ + ${GRUB_MODULES} \ +%{nil} +%endif + +%ifarch ppc64le +%define ieee1275_mkimage() \ +APPENDED_SIG_SIZE=0 \ +if [ -x /usr/bin/rpm-sign ]; then \ + touch empty.unsigned \ + rpm-sign --key %{5} \\\ + --lkmsign empty.unsigned \\\ + --output empty.signed \ + APPENDED_SIG_SIZE="$(stat -c '%s' empty.signed)" \ + rm empty.{un,}signed \ +fi \ +# FIXME: using this prefix is fragile, must be done properly \ +./grub-mkimage -O %{1} -o %{2}.orig \\\ + -p '/grub2' -d grub-core \\\ + -x %{3} -x %{4} \\\ + --appended-signature-size ${APPENDED_SIG_SIZE} \\\ + ${GRUB_MODULES} \ +if [ -x /usr/bin/rpm-sign ]; then \ + truncate -s -${APPENDED_SIG_SIZE} %{2}.orig \ + rpm-sign --key %{5} \\\ + --lkmsign %{2}.orig \\\ + --output %{2} \ +else \ + mv %{2}.orig %{2} \ +fi \ %{nil} %endif %define do_efi_build_images() \ -GRUB_MODULES=" all_video boot blscfg btrfs \\\ - cat configfile cryptodisk \\\ - echo efi_netfs efifwsetup efinet ext2 f2fs \\\ - fat font gcry_rijndael gcry_rsa gcry_serpent \\\ - gcry_sha256 gcry_twofish gcry_whirlpool \\\ - gfxmenu gfxterm gzio \\\ - halt hfsplus http increment iso9660 jpeg \\\ - loadenv loopback linux lvm lsefi lsefimmap luks \\\ - luks2 mdraid09 mdraid1x minicmd net \\\ - normal part_apple part_msdos part_gpt \\\ - password_pbkdf2 pgp png reboot \\\ - regexp search search_fs_uuid search_fs_file \\\ - search_label serial sleep syslinuxcfg test tftp \\\ - version video xfs zstd " \ +GRUB_MODULES+=%{grub_modules} \ GRUB_MODULES+=%{efi_modules} \ -%{expand:%%{mkimage %{1} %{2} %{3} %{4}}} \ +GRUB_MODULES+=%{platform_modules} \ +%{expand:%%{efi_mkimage %{1} %{2} %{3} %{4} %{5} %{6} %{7} %{8} %{9} %{10}}} \ +%{nil} + +%define do_ieee1275_build_images() \ +GRUB_MODULES+=%{grub_modules} \ +GRUB_MODULES+=%{platform_modules} \ +cd grub-%{1}-%{tarversion} \ +%{expand:%%ieee1275_mkimage %%{1} %%{2} %%{3} %%{4} %%{5}} \ +cd .. \ %{nil} %define do_primary_efi_build() \ cd grub-%{1}-%{tarversion} \ %{expand:%%do_efi_configure %%{4} %%{5} %%{6}} \ %do_efi_build_all \ -%{expand:%%do_efi_build_images %{grub_target_name} %{2} %{3} ./ } \ +%{expand:%%do_efi_build_images %{grub_target_name} %{2} %{3} ./ %{7} %{8} %{9} %{10} %{11} %{12}} \ cd .. \ %{nil} @@ -435,7 +489,7 @@ cd grub-%{1}-%{tarversion} \ %{expand:%%do_efi_configure %%{4} %%{5} %%{6}} \ %do_efi_build_modules \ %{expand:%%do_efi_link_utils %{grubefiarch}} \ -%{expand:%%do_efi_build_images %{alt_grub_target_name} %{2} %{3} ../grub-%{grubefiarch}-%{tarversion}/ } \ +%{expand:%%do_efi_build_images %{alt_grub_target_name} %{2} %{3} ../grub-%{grubefiarch}-%{tarversion}/ %{7} %{8} %{9} %{10} %{11} %{12}} \ cd .. \ %{nil} @@ -534,6 +588,9 @@ fi \ if [ -f $RPM_BUILD_ROOT%{_infodir}/grub-dev.info ]; then \ rm -f $RPM_BUILD_ROOT%{_infodir}/grub-dev.info \ fi \ +%{expand:%ifarch ppc64le \ + install -m 700 %{grubelfname} $RPM_BUILD_ROOT/%{_libdir}/grub/%{1} \ +%endif} \ if [ -f $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/%{name}.chrp ]; then \ mv $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/%{name}.chrp \\\ $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/%{name}.chrp \ @@ -593,12 +650,19 @@ ln -s ../boot/%{name}/grub.cfg \\\ %ghost %config(noreplace) /boot/%{name}/grub.cfg \ %dir %attr(0700,root,root)/boot/loader/entries \ %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \ +%ifarch ppc64le \ +%dir %{_libdir}/grub/%{2}/ \ +%{_libdir}/grub/%{2}/%{grubelfname} \ +%endif \ \ %{expand:%if 0%{?with_legacy_modules} \ %{expand:%%files %{1}-modules} \ %defattr(-,root,root) \ %dir %{_libdir}/grub/%{2}/ \ %{_libdir}/grub/%{2}/* \ +%ifarch ppc64le \ +%exclude %{_libdir}/grub/%{2}/%{grubelfname} \ +%endif \ %exclude %{_libdir}/grub/%{2}/*.module \ %exclude %{_libdir}/grub/%{2}/{boot,boot_hybrid,cdboot,diskboot,lzma_decompress,pxeboot}.image \ %exclude %{_libdir}/grub/%{2}/*.o \ diff --git a/grub2.spec b/grub2.spec index 99551ec..f5ee3a2 100644 --- a/grub2.spec +++ b/grub2.spec @@ -14,7 +14,7 @@ Name: grub2 Epoch: 1 Version: 2.06 -Release: 15%{?dist} +Release: 16%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -36,9 +36,26 @@ Source13: redhatsecurebootca3.cer Source14: redhatsecureboot301.cer Source15: redhatsecurebootca5.cer Source16: redhatsecureboot502.cer +Source17: redhatsecureboot303.cer +Source18: redhatsecureboot601.cer %include %{SOURCE1} +%if 0%{with_efi_arch} +%define old_sb_ca %{SOURCE13} +%define old_sb_cer %{SOURCE14} +%define old_sb_key redhatsecureboot301 +%define sb_ca %{SOURCE15} +%define sb_cer %{SOURCE16} +%define sb_key redhatsecureboot502 +%endif + +%ifarch ppc64le +%define old_sb_cer %{SOURCE17} +%define sb_cer %{SOURCE18} +%define sb_key redhatsecureboot602 +%endif + BuildRequires: gcc efi-srpm-macros BuildRequires: flex bison binutils python3 BuildRequires: ncurses-devel xz-devel bzip2-devel @@ -53,7 +70,7 @@ BuildRequires: help2man # For %%_userunitdir macro BuildRequires: systemd %ifarch %{efi_arch} -BuildRequires: pesign >= 113-21 +BuildRequires: pesign >= 0.99-8 %endif %if %{?_with_ccache: 1}%{?!_with_ccache: 0} BuildRequires: ccache @@ -196,10 +213,10 @@ git commit -m "After making subdirs" %build %if 0%{with_efi_arch} -%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502} +%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{old_sb_ca} %{old_sb_cer} %{old_sb_key} %{sb_ca} %{sb_cer} %{sb_key}} %endif %if 0%{with_alt_efi_arch} -%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502} +%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{old_sb_ca} %{old_sb_cer} %{old_sb_key} %{sb_ca} %{sb_cer} %{sb_key}} %endif %if 0%{with_legacy_arch} %{expand:%do_legacy_build %%{grublegacyarch}} @@ -207,6 +224,9 @@ git commit -m "After making subdirs" %if 0%{with_emu_arch} %{expand:%do_emu_build} %endif +%ifarch ppc64le +%{expand:%do_ieee1275_build_images %%{grublegacyarch} %{grubelfname} %{old_sb_cer} %{sb_cer} %{sb_key}} +%endif makeinfo --info --no-split -I docs -o docs/grub-dev.info \ docs/grub-dev.texi makeinfo --info --no-split -I docs -o docs/grub.info \ @@ -527,29 +547,49 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg %endif %changelog -* Tue Jan 04 2021 Robbie Harwood - 2.06-15 -- Sync with beta for signing changes +* Tue Jan 04 2021 Robbie Harwood - 2.06-16 +- Stop having this problem and just copy over the beta tree - Resolves: rhbz#2006784 -* Tue Dec 21 2021 Robbie Harwood - 2.06-14 -- Rebuild for signing; no code changes -- Resolves: rhbz#2006784 +* Mon Oct 25 2021 Robbie Harwood +- powerpc-ieee1275: load grub at 4MB, not 2MB + Related: rhbz#1873860 -* Fri Nov 19 2021 Robbie Harwood - 2.06-13 -- Rebuild for gating; no code changes -- Resolves: rhbz#2006784 +* Tue Oct 12 2021 Robbie Harwood +- Print out module name on license check failure + Related: rhbz#1873860 -* Tue Oct 26 2021 Robbie Harwood - 2.06-12 -- Sync with beta changes (version jump because our process is bad) - Resolves: rhbz#2006784 +* Thu Oct 07 2021 pjones +- Hopefully make "grub2-mkimage --appended-signature-size=" actually work. + Related: rhbz#1873860 + +* Thu Oct 07 2021 Peter Jones - 2.06-8 +- Attempt once more to fix signatures on ppc64le + Related: rhbz#1873860 + +* Tue Oct 05 2021 Peter Jones - 2.06-7 +- Fix signatures on ppc64le + Related: rhbz#1951104 + +* Tue Oct 05 2021 Robbie Harwood - 2.06-6 +- Fix booting with XFSv4 partitions + Resolves: rhbz#2006993 + +* Thu Sep 30 2021 Peter Jones - 2.06-5 +- Rebuild for correct signatures once more. + Resolves: rhbz#1976771 + +* Thu Sep 30 2021 Peter Jones - 2.06-4 +- Rebuild for correct signatures + Resolves: rhbz#1976771 * Mon Sep 27 2021 Robbie Harwood - 2.06-3 - Rebuild for gating + rpminspect - Resolves: rhbz#2006784 + Resolves: rhbz#1976771 * Wed Sep 22 2021 Robbie Harwood - 2.06-2 - Rebuild because our CI infrastructure doesn't work right - Resolves: rhbz#2006784 + Resolves: rhbz#1976771 * Tue Aug 31 2021 Javier Martinez Canillas - 2.06-1 - Update to 2.06 final release and ton of fixes diff --git a/redhatsecureboot303.cer b/redhatsecureboot303.cer new file mode 100644 index 0000000000000000000000000000000000000000..2c0087dbc5da376aef641bb23833401857c34940 GIT binary patch literal 899 zcmXqLVy-u6VoG1Y%*4pV#L4h}zvyHQr&GoTylk9WZ60mkc^MhGSs4s`4b=@)*_cCF zn1$tnQd1N>5=#_OQj1C) zic(WD5=-=w^K%X4#CZ)Z4a^Ko3@l8IOe~_rd5tX$3=NE+T!SD(9Rn?}bv(*gtt-w< z&&$k92is{(oSjXKO31!qWMyD(V&rEqXkz4IYGPz$II>2G|M$FqPFt5GY@Z}j_wdcG z>qlNkR*SLi2#vh>#O(I_Wno7c`4SC2=y=Zd`<9;a@{@2)?V*sz8{HTFd-E&#gtt#; zUgHuWz1pJ-y#K9{o_n?Q@4oA|9nu>-nGU?#lm1zM!m(4+W^!G6o63L4^zhgAs4rhs zUmj^WrxfJ3J}dJeuq`Lta*xk?}tZlL3PPH;Bj2!otkN-e4dL;_$JEv50IdKm9LW&^Yn$5_R6=HKv!R z$vZ?D$b+PnStJa^8bln#TEtw=Sv9h7u(GGU__1hC>W>)Y2mmH4U<5ES#PkO5sC<9x z!JKt`$32eKDcv>kntnv_@NIu_U*Q=Xk1EvP<=w1`yP>!G=8u`mTv|szZevQCch1^& z!q2ncK3iyARETApaF1br*%L8#fw_eaRczCW1C=8SIyp9OHWxSD>F|+J;%msh6TGS4 z7i9eW_V~}UtyNmb|NVAU_`StO+3?O0&CipWay2jh-RRBjrY}Bi{e-UnA#J9g_4+s? zD*o^EabCXQ^?4Wm+_igF-`xN2a7LS$!jkBBmcGB8+wcBUs^a;5FNJd^r+L3*+)39L zjQ8{>JTSZxpz7w(F!4!Co|pZnnG+e$u$S(t-F5BW&3P{?riLzZE|e}c7rGqT{#S2( H=YvQ9de&%$ literal 0 HcmV?d00001 diff --git a/redhatsecureboot601.cer b/redhatsecureboot601.cer new file mode 100644 index 0000000000000000000000000000000000000000..c92b96b4e0d360b90333361ea61f565f196ea20e GIT binary patch literal 916 zcmXqLVxC~o#8k0>nTe5!iId^-97p53+3_w0ylk9WZ60mkc^MhGSs4u64HXUK*_cCF zn0X|EQd1N>5=#_*enXpOwY^AOII)h zY9hwICPpP>zc8{gFgG#sGZ-{6axpbAGBQki!xdZoCRX_S>dV}-BbKHWadCWS=ictf zX!LID`KNZP*Y{*9L|}%3_emT z=3e&*+PO}C!>cFT-xY3>#+jTtA9;|7?{ zfN{gfkisa`?6XkHTKh%6xuB-@a@A8u|2@AV?)Y1R|85iijb|M5C)`>v`vA}Wwb4kOkuKYkrH2^@l99De!}lh|79J&NCf?#_qJr(?s~t*IWParC|#~@cmCKBc#uW$e87pz^*}ZFcLToW*~c?muOF`th~Ca6;MkH0u8E;ZRmJw4GFuwHdd(wk|9y*>0095ZYghmP literal 0 HcmV?d00001