A few fixes for ppc64le LPAR Secure Boot support

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-08-30 16:50:42 +02:00 · 2021-08-30 16:50:42 +02:00 · 1f9e8074ae
commit 1f9e8074ae
parent db96a0c4de
5 changed files with 248 additions and 1 deletions
--- a/0217-normal-main-Discover-the-device-to-read-the-config-f.patch
+++ b/0217-normal-main-Discover-the-device-to-read-the-config-f.patch
@ -0,0 +1,123 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 30 Aug 2021 12:31:18 +0200
+Subject: [PATCH] normal/main: Discover the device to read the config from as a
+ fallback
+
+The GRUB core.img is generated locally, when this is done the grub2-probe
+tool figures out the device and partition that needs to be read to parse
+the GRUB configuration file.
+
+But in some cases the core.img can't be generated on the host and instead
+has to be done at package build time. For example, if needs to get signed
+with a key that's only available on the package building infrastructure.
+
+If that's the case, the prefix variable won't have a device and partition
+but only a directory path. So there's no way for GRUB to know from which
+device has to read the configuration file.
+
+To allow GRUB to continue working on that scenario, fallback to iterating
+over all the available devices, if reading the config failed when using
+the prefix and fw_path variables.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ grub-core/normal/main.c | 58 +++++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 51 insertions(+), 7 deletions(-)
+
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index 155bf366da2..f9ccca502ee 100644
+--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
+@@ -339,18 +339,13 @@ grub_enter_normal_mode (const char *config)
+ }
+ 
+ static grub_err_t
+-grub_try_normal (const char *variable)
+grub_try_normal_prefix (const char *prefix)
+ {
+     char *config;
+-    const char *prefix;
+     grub_err_t err = GRUB_ERR_FILE_NOT_FOUND;
+     const char *net_search_cfg;
+     int disable_net_search = 0;
+ 
+-    prefix = grub_env_get (variable);
+-    if (!prefix)
+-      return GRUB_ERR_FILE_NOT_FOUND;
+-
+     net_search_cfg = grub_env_get ("feature_net_search_cfg");
+     if (net_search_cfg && net_search_cfg[0] == 'n')
+       disable_net_search = 1;
+@@ -364,7 +359,7 @@ grub_try_normal (const char *variable)
+        config = grub_malloc (config_len);
+ 
+        if (! config)
+-         return GRUB_ERR_FILE_NOT_FOUND;
+         return err;
+ 
+        grub_snprintf (config, config_len, "%s/grub.cfg", prefix);
+        err = grub_net_search_config_file (config);
+@@ -393,6 +388,53 @@ grub_try_normal (const char *variable)
+     return err;
+ }
+ 
+static int
+grub_try_normal_dev (const char *name, void *data)
+{
+  grub_err_t err;
+  const char *prefix = grub_xasprintf ("(%s)%s", name, (char *)data);
+
+  if (!prefix)
+    return 0;
+
+  err = grub_try_normal_prefix (prefix);
+  if (err == GRUB_ERR_NONE)
+    return 1;
+
+  return 0;
+}
+
+static grub_err_t
+grub_try_normal_discover (void)
+{
+  char *prefix = grub_env_get ("prefix");
+  grub_err_t err = GRUB_ERR_FILE_NOT_FOUND;
+
+  if (!prefix)
+    return err;
+
+  if (grub_device_iterate (grub_try_normal_dev, (void *)prefix))
+    return GRUB_ERR_NONE;
+
+  return err;
+}
+
+static grub_err_t
+grub_try_normal (const char *variable)
+{
+  grub_err_t err = GRUB_ERR_FILE_NOT_FOUND;
+  const char *prefix;
+
+  if (!variable)
+    return err;
+
+  prefix = grub_env_get (variable);
+  if (!prefix)
+    return err;
+
+  return grub_try_normal_prefix (prefix);
+}
+
+ /* Enter normal mode from rescue mode.  */
+ static grub_err_t
+ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
+@@ -407,6 +449,8 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
+       err = grub_try_normal ("fw_path");
+       if (err == GRUB_ERR_FILE_NOT_FOUND)
+         err = grub_try_normal ("prefix");
+      if (err == GRUB_ERR_FILE_NOT_FOUND)
+        err = grub_try_normal_discover ();
+       if (err == GRUB_ERR_FILE_NOT_FOUND)
+         grub_enter_normal_mode (0);
+     }
--- a/0218-powerpc-adjust-setting-of-prefix-for-signed-binary-c.patch
+++ b/0218-powerpc-adjust-setting-of-prefix-for-signed-binary-c.patch
@ -0,0 +1,75 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 19 Jul 2021 14:35:55 +1000
+Subject: [PATCH] powerpc: adjust setting of prefix for signed binary case
+
+On RHEL-signed powerpc grub, we sign a grub with -p /grub2 and expect
+that there's a boot partition.
+
+Unfortunately grub_set_prefix_and_root tries to convert this to
+($fwdevice)/grub2. This ends up being (ieee1275/disk)/grub2 and that
+falls apart pretty quickly - there's no file-system on ieee1275/disk,
+and it makes the search routine try things like
+(ieee1275/disk,msdos2)(ieee1275/disk)/grub2 which also doesn't work.
+
+Detect if we would be about to create (ieee1275/disk)/path and don't:
+preserve a prefix of /path instead and hope the search later finds us.
+
+Related: rhbz#1899864
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+---
+ grub-core/kern/main.c | 38 +++++++++++++++++++++++++++++++++-----
+ 1 file changed, 33 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
+index 0285e95a2bb..e809a5edec1 100644
+--- a/grub-core/kern/main.c
+++ b/grub-core/kern/main.c
+@@ -216,13 +216,41 @@ grub_set_prefix_and_root (void)
+   if (device)
+     {
+       char *prefix_set;
+-    
+-      prefix_set = grub_xasprintf ("(%s)%s", device, path ? : "");
+-      if (prefix_set)
+
+#ifdef __powerpc__
+      /* We have to be careful here on powerpc-ieee1275 + signed grub. We
+	 will have signed something with a prefix that doesn't have a device
+	 because we cannot know in advance what partition we're on.
+
+	 We will have had !device earlier, so we will have set device=fwdevice
+	 However, we want to make sure we do not end up setting prefix to be
+	 ($fwdevice)/path, because we will then end up trying to boot or search
+	 based on a prefix of (ieee1275/disk)/path, which will not work because
+	 it's missing a partition.
+
+	 Also:
+	  - You can end up with a device with an FS directly on it, without
+	    a partition, e.g. ieee1275/cdrom.
+
+	  - powerpc-ieee1275 + grub-install sets e.g. prefix=(,gpt2)/path,
+	    which will have now been extended to device=$fwdisk,partition
+	    and path=/path
+
+	 So we only need to act if device = ieee1275/disk exactly.
+       */
+      if (grub_strncmp (device, "ieee1275/disk", 14) == 0)
+        grub_env_set ("prefix", path);
+      else
+#endif
+ 	{
+-	  grub_env_set ("prefix", prefix_set);
+-	  grub_free (prefix_set);
+	  prefix_set = grub_xasprintf ("(%s)%s", device, path ? : "");
+	  if (prefix_set)
+	  {
+	    grub_env_set ("prefix", prefix_set);
+	    grub_free (prefix_set);
+	  }
+ 	}
+
+       grub_env_set ("root", device);
+     }
+ 
--- a/0219-powerpc-fix-prefix-signed-grub-special-case-for-Powe.patch
+++ b/0219-powerpc-fix-prefix-signed-grub-special-case-for-Powe.patch
@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 16 Aug 2021 16:01:47 +1000
+Subject: [PATCH] powerpc: fix prefix + signed grub special case for PowerVM
+
+Mea culpa: when testing the PowerPC special case for signed grub, I
+assumed qemu and PowerVM would behave identically. This was wrong, and
+with hindsight a pretty dumb error.
+
+This fixes it. This time, I am actually testing on PowerVM.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+---
+ grub-core/kern/main.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
+index e809a5edec1..2d0d2bbd4cf 100644
+--- a/grub-core/kern/main.c
+++ b/grub-core/kern/main.c
+@@ -236,9 +236,20 @@ grub_set_prefix_and_root (void)
+ 	    which will have now been extended to device=$fwdisk,partition
+ 	    and path=/path
+ 
+-	 So we only need to act if device = ieee1275/disk exactly.
+	  - PowerVM will give us device names like
+	    ieee1275//vdevice/v-scsi@3000006c/disk@8100000000000000
+	    and we don't want to try to encode some sort of truth table about
+	    what sorts of paths represent disks with partition tables and those
+	    without partition tables.
+
+	 So we act unless there is a comma in the device, which would indicate
+	 a partition has already been specified.
+
+	 (If we only have a path, the code in normal to discover config files
+	 will try both without partitions and then with any partitions so we
+	 will cover both CDs and HDs.)
+        */
+-      if (grub_strncmp (device, "ieee1275/disk", 14) == 0)
+      if (grub_strchr (device, ',') == NULL)
+         grub_env_set ("prefix", path);
+       else
+ #endif
--- a/grub.patches
+++ b/grub.patches
@ -214,3 +214,6 @@ Patch0213: 0213-Remove-outdated-URL-for-BLS-document.patch
 Patch0214: 0214-templates-Check-for-EFI-at-runtime-instead-of-config.patch
 Patch0215: 0215-efi-Print-an-error-if-boot-to-firmware-setup-is-not-.patch
 Patch0216: 0216-arm64-Fix-EFI-loader-kernel-image-allocation.patch
+Patch0217: 0217-normal-main-Discover-the-device-to-read-the-config-f.patch
+Patch0218: 0218-powerpc-adjust-setting-of-prefix-for-signed-binary-c.patch
+Patch0219: 0219-powerpc-fix-prefix-signed-grub-special-case-for-Powe.patch
--- a/grub2.spec
+++ b/grub2.spec
@ -14,7 +14,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.06
-Release:	4%{?dist}
+Release:	5%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@ -523,6 +523,9 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 %endif

 %changelog
+* Mon Aug 30 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.06-5
+- A few fixes for ppc64le LPAR Secure Boot support
+
 * Tue Aug 24 2021 Peter Jones <pjones@redhat.com> - 2.06-4
 - Fix aarch64 kernel alignment.
 - Fix annobin regexp on ppc64le