import grub2-2.02-106.el8
This commit is contained in:
parent
3b06c03f9e
commit
2d479f20f3
75
SOURCES/0481-ieee1275-drop-HEAP_MAX_ADDR-HEAP_MIN_SIZE.patch
Normal file
75
SOURCES/0481-ieee1275-drop-HEAP_MAX_ADDR-HEAP_MIN_SIZE.patch
Normal file
@ -0,0 +1,75 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Wed, 14 Apr 2021 20:10:23 +1000
|
||||
Subject: [PATCH] ieee1275: drop HEAP_MAX_ADDR, HEAP_MIN_SIZE
|
||||
|
||||
HEAP_MAX_ADDR is confusing. Currently it is set to 32MB, except
|
||||
on ieee1275 on x86, where it is 64MB.
|
||||
|
||||
There is a comment which purports to explain it:
|
||||
|
||||
/* If possible, we will avoid claiming heap above this address, because it
|
||||
seems to cause relocation problems with OSes that link at 4 MiB */
|
||||
|
||||
This doesn't make a lot of sense when the constants are well above 4MB
|
||||
already. It was not always this way. Prior to
|
||||
commit 7b5d0fe4440c ("Increase heap limit") in 2010, HEAP_MAX_SIZE and
|
||||
HEAP_MAX_ADDR were indeed 4MB. However, when the constants were increased
|
||||
the comment was left unchanged.
|
||||
|
||||
It's been over a decade. It doesn't seem like we have problems with
|
||||
claims over 4MB on powerpc or x86 ieee1275. (sparc does things completely
|
||||
differently and never used the constant.)
|
||||
|
||||
Drop the constant and the check.
|
||||
|
||||
The only use of HEAP_MIN_SIZE was to potentially override the
|
||||
HEAP_MAX_ADDR check. It is now unused. Remove it.
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
---
|
||||
grub-core/kern/ieee1275/init.c | 17 -----------------
|
||||
1 file changed, 17 deletions(-)
|
||||
|
||||
diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
|
||||
index 22dc3013d86..ee97d761d1e 100644
|
||||
--- a/grub-core/kern/ieee1275/init.c
|
||||
+++ b/grub-core/kern/ieee1275/init.c
|
||||
@@ -42,9 +42,6 @@
|
||||
#include <grub/machine/kernel.h>
|
||||
#endif
|
||||
|
||||
-/* The minimal heap size we can live with. */
|
||||
-#define HEAP_MIN_SIZE (unsigned long) (2 * 1024 * 1024)
|
||||
-
|
||||
/* The maximum heap size we're going to claim */
|
||||
#ifdef __i386__
|
||||
#define HEAP_MAX_SIZE (unsigned long) (64 * 1024 * 1024)
|
||||
@@ -52,14 +49,6 @@
|
||||
#define HEAP_MAX_SIZE (unsigned long) (32 * 1024 * 1024)
|
||||
#endif
|
||||
|
||||
-/* If possible, we will avoid claiming heap above this address, because it
|
||||
- seems to cause relocation problems with OSes that link at 4 MiB */
|
||||
-#ifdef __i386__
|
||||
-#define HEAP_MAX_ADDR (unsigned long) (64 * 1024 * 1024)
|
||||
-#else
|
||||
-#define HEAP_MAX_ADDR (unsigned long) (32 * 1024 * 1024)
|
||||
-#endif
|
||||
-
|
||||
extern char _end[];
|
||||
|
||||
#ifdef __sparc__
|
||||
@@ -181,12 +170,6 @@ heap_init (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
|
||||
if (*total + len > HEAP_MAX_SIZE)
|
||||
len = HEAP_MAX_SIZE - *total;
|
||||
|
||||
- /* Avoid claiming anything above HEAP_MAX_ADDR, if possible. */
|
||||
- if ((addr < HEAP_MAX_ADDR) && /* if it's too late, don't bother */
|
||||
- (addr + len > HEAP_MAX_ADDR) && /* if it wasn't available anyway, don't bother */
|
||||
- (*total + (HEAP_MAX_ADDR - addr) > HEAP_MIN_SIZE)) /* only limit ourselves when we can afford to */
|
||||
- len = HEAP_MAX_ADDR - addr;
|
||||
-
|
||||
/* In theory, firmware should already prevent this from happening by not
|
||||
listing our own image in /memory/available. The check below is intended
|
||||
as a safeguard in case that doesn't happen. However, it doesn't protect
|
252
SOURCES/0482-ieee1275-claim-more-memory.patch
Normal file
252
SOURCES/0482-ieee1275-claim-more-memory.patch
Normal file
@ -0,0 +1,252 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Wed, 15 Apr 2020 23:28:29 +1000
|
||||
Subject: [PATCH] ieee1275: claim more memory
|
||||
|
||||
On powerpc-ieee1275, we are running out of memory trying to verify
|
||||
anything. This is because:
|
||||
|
||||
- we have to load an entire file into memory to verify it. This is
|
||||
extremely difficult to change with appended signatures.
|
||||
- We only have 32MB of heap.
|
||||
- Distro kernels are now often around 30MB.
|
||||
|
||||
So we want to claim more memory from OpenFirmware for our heap.
|
||||
|
||||
There are some complications:
|
||||
|
||||
- The grub mm code isn't the only thing that will make claims on
|
||||
memory from OpenFirmware:
|
||||
|
||||
* PFW/SLOF will have claimed some for their own use.
|
||||
|
||||
* The ieee1275 loader will try to find other bits of memory that we
|
||||
haven't claimed to place the kernel and initrd when we go to boot.
|
||||
|
||||
* Once we load Linux, it will also try to claim memory. It claims
|
||||
memory without any reference to /memory/available, it just starts
|
||||
at min(top of RMO, 768MB) and works down. So we need to avoid this
|
||||
area. See arch/powerpc/kernel/prom_init.c as of v5.11.
|
||||
|
||||
- The smallest amount of memory a ppc64 KVM guest can have is 256MB.
|
||||
It doesn't work with distro kernels but can work with custom kernels.
|
||||
We should maintain support for that. (ppc32 can boot with even less,
|
||||
and we shouldn't break that either.)
|
||||
|
||||
- Even if a VM has more memory, the memory OpenFirmware makes available
|
||||
as Real Memory Area can be restricted. A freshly created LPAR on a
|
||||
PowerVM machine is likely to have only 256MB available to OpenFirmware
|
||||
even if it has many gigabytes of memory allocated.
|
||||
|
||||
EFI systems will attempt to allocate 1/4th of the available memory,
|
||||
clamped to between 1M and 1600M. That seems like a good sort of
|
||||
approach, we just need to figure out if 1/4 is the right fraction
|
||||
for us.
|
||||
|
||||
We don't know in advance how big the kernel and initrd are going to be,
|
||||
which makes figuring out how much memory we can take a bit tricky.
|
||||
|
||||
To figure out how much memory we should leave unused, I looked at:
|
||||
|
||||
- an Ubuntu 20.04.1 ppc64le pseries KVM guest:
|
||||
vmlinux: ~30MB
|
||||
initrd: ~50MB
|
||||
|
||||
- a RHEL8.2 ppc64le pseries KVM guest:
|
||||
vmlinux: ~30MB
|
||||
initrd: ~30MB
|
||||
|
||||
Ubuntu VMs struggle to boot with just 256MB under SLOF.
|
||||
RHEL likewise has a higher minimum supported memory figure.
|
||||
So lets first consider a distro kernel and 512MB of addressible memory.
|
||||
(This is the default case for anything booting under PFW.) Say we lose
|
||||
131MB to PFW (based on some tests). This leaves us 381MB. 1/4 of 381MB
|
||||
is ~95MB. That should be enough to verify a 30MB vmlinux and should
|
||||
leave plenty of space to load Linux and the initrd.
|
||||
|
||||
If we consider 256MB of RMA under PFW, we have just 125MB remaining. 1/4
|
||||
of that is a smidge under 32MB, which gives us very poor odds of verifying
|
||||
a distro-sized kernel. However, if we need 80MB just to put the kernel
|
||||
and initrd in memory, we can't claim any more than 45MB anyway. So 1/4
|
||||
will do. We'll come back to this later.
|
||||
|
||||
grub is always built as a 32-bit binary, even if it's loading a ppc64
|
||||
kernel. So we can't address memory beyond 4GB. This gives a natural cap
|
||||
of 1GB for powerpc-ieee1275.
|
||||
|
||||
Also apply this 1/4 approach to i386-ieee1275, but keep the 32MB cap.
|
||||
|
||||
make check still works for both i386 and powerpc and I've booted
|
||||
powerpc grub with this change under SLOF and PFW.
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
---
|
||||
grub-core/kern/ieee1275/init.c | 81 +++++++++++++++++++++++++++++++++---------
|
||||
docs/grub-dev.texi | 6 ++--
|
||||
2 files changed, 69 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
|
||||
index ee97d761d1e..a6e169bd003 100644
|
||||
--- a/grub-core/kern/ieee1275/init.c
|
||||
+++ b/grub-core/kern/ieee1275/init.c
|
||||
@@ -42,11 +42,12 @@
|
||||
#include <grub/machine/kernel.h>
|
||||
#endif
|
||||
|
||||
-/* The maximum heap size we're going to claim */
|
||||
+/* The maximum heap size we're going to claim. Not used by sparc.
|
||||
+ We allocate 1/4 of the available memory under 4G, up to this limit. */
|
||||
#ifdef __i386__
|
||||
#define HEAP_MAX_SIZE (unsigned long) (64 * 1024 * 1024)
|
||||
-#else
|
||||
-#define HEAP_MAX_SIZE (unsigned long) (32 * 1024 * 1024)
|
||||
+#else // __powerpc__
|
||||
+#define HEAP_MAX_SIZE (unsigned long) (1 * 1024 * 1024 * 1024)
|
||||
#endif
|
||||
|
||||
extern char _end[];
|
||||
@@ -143,16 +144,45 @@ grub_claim_heap (void)
|
||||
+ GRUB_KERNEL_MACHINE_STACK_SIZE), 0x200000);
|
||||
}
|
||||
#else
|
||||
-/* Helper for grub_claim_heap. */
|
||||
+/* Helper for grub_claim_heap on powerpc. */
|
||||
+static int
|
||||
+heap_size (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
|
||||
+ void *data)
|
||||
+{
|
||||
+ grub_uint32_t total = *(grub_uint32_t *)data;
|
||||
+
|
||||
+ if (type != GRUB_MEMORY_AVAILABLE)
|
||||
+ return 0;
|
||||
+
|
||||
+ /* Do not consider memory beyond 4GB */
|
||||
+ if (addr > 0xffffffffUL)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (addr + len > 0xffffffffUL)
|
||||
+ len = 0xffffffffUL - addr;
|
||||
+
|
||||
+ total += len;
|
||||
+ *(grub_uint32_t *)data = total;
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static int
|
||||
heap_init (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
|
||||
void *data)
|
||||
{
|
||||
- unsigned long *total = data;
|
||||
+ grub_uint32_t total = *(grub_uint32_t *)data;
|
||||
|
||||
if (type != GRUB_MEMORY_AVAILABLE)
|
||||
return 0;
|
||||
|
||||
+ /* Do not consider memory beyond 4GB */
|
||||
+ if (addr > 0xffffffffUL)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (addr + len > 0xffffffffUL)
|
||||
+ len = 0xffffffffUL - addr;
|
||||
+
|
||||
if (grub_ieee1275_test_flag (GRUB_IEEE1275_FLAG_NO_PRE1_5M_CLAIM))
|
||||
{
|
||||
if (addr + len <= 0x180000)
|
||||
@@ -166,10 +196,6 @@ heap_init (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
|
||||
}
|
||||
len -= 1; /* Required for some firmware. */
|
||||
|
||||
- /* Never exceed HEAP_MAX_SIZE */
|
||||
- if (*total + len > HEAP_MAX_SIZE)
|
||||
- len = HEAP_MAX_SIZE - *total;
|
||||
-
|
||||
/* In theory, firmware should already prevent this from happening by not
|
||||
listing our own image in /memory/available. The check below is intended
|
||||
as a safeguard in case that doesn't happen. However, it doesn't protect
|
||||
@@ -181,6 +207,18 @@ heap_init (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
|
||||
len = 0;
|
||||
}
|
||||
|
||||
+ /* If this block contains 0x30000000 (768MB), do not claim below that.
|
||||
+ Linux likes to claim memory at min(RMO top, 768MB) and works down
|
||||
+ without reference to /memory/available. */
|
||||
+ if ((addr < 0x30000000) && ((addr + len) > 0x30000000))
|
||||
+ {
|
||||
+ len = len - (0x30000000 - addr);
|
||||
+ addr = 0x30000000;
|
||||
+ }
|
||||
+
|
||||
+ if (len > total)
|
||||
+ len = total;
|
||||
+
|
||||
if (len)
|
||||
{
|
||||
grub_err_t err;
|
||||
@@ -189,10 +227,12 @@ heap_init (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
|
||||
if (err)
|
||||
return err;
|
||||
grub_mm_init_region ((void *) (grub_addr_t) addr, len);
|
||||
+ total -= len;
|
||||
}
|
||||
|
||||
- *total += len;
|
||||
- if (*total >= HEAP_MAX_SIZE)
|
||||
+ *(grub_uint32_t *)data = total;
|
||||
+
|
||||
+ if (total == 0)
|
||||
return 1;
|
||||
|
||||
return 0;
|
||||
@@ -201,13 +241,22 @@ heap_init (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
|
||||
static void
|
||||
grub_claim_heap (void)
|
||||
{
|
||||
- unsigned long total = 0;
|
||||
+ grub_uint32_t total = 0;
|
||||
|
||||
if (grub_ieee1275_test_flag (GRUB_IEEE1275_FLAG_FORCE_CLAIM))
|
||||
- heap_init (GRUB_IEEE1275_STATIC_HEAP_START, GRUB_IEEE1275_STATIC_HEAP_LEN,
|
||||
- 1, &total);
|
||||
- else
|
||||
- grub_machine_mmap_iterate (heap_init, &total);
|
||||
+ {
|
||||
+ heap_init (GRUB_IEEE1275_STATIC_HEAP_START, GRUB_IEEE1275_STATIC_HEAP_LEN,
|
||||
+ 1, &total);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ grub_machine_mmap_iterate (heap_size, &total);
|
||||
+
|
||||
+ total = total / 4;
|
||||
+ if (total > HEAP_MAX_SIZE)
|
||||
+ total = HEAP_MAX_SIZE;
|
||||
+
|
||||
+ grub_machine_mmap_iterate (heap_init, &total);
|
||||
}
|
||||
#endif
|
||||
|
||||
diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi
|
||||
index 421dd410e50..03d53498c51 100644
|
||||
--- a/docs/grub-dev.texi
|
||||
+++ b/docs/grub-dev.texi
|
||||
@@ -930,7 +930,9 @@ space is limited to 4GiB. GRUB allocates pages from EFI for its heap, at most
|
||||
1.6 GiB.
|
||||
|
||||
On i386-ieee1275 and powerpc-ieee1275 GRUB uses same stack as IEEE1275.
|
||||
-It allocates at most 32MiB for its heap.
|
||||
+
|
||||
+On i386-ieee1275, GRUB allocates at most 32MiB for its heap. On
|
||||
+powerpc-ieee1275, GRUB allocates up to 1GiB.
|
||||
|
||||
On sparc64-ieee1275 stack is 256KiB and heap is 2MiB.
|
||||
|
||||
@@ -958,7 +960,7 @@ In short:
|
||||
@item i386-qemu @tab 60 KiB @tab < 4 GiB
|
||||
@item *-efi @tab ? @tab < 1.6 GiB
|
||||
@item i386-ieee1275 @tab ? @tab < 32 MiB
|
||||
-@item powerpc-ieee1275 @tab ? @tab < 32 MiB
|
||||
+@item powerpc-ieee1275 @tab ? @tab < 1 GiB
|
||||
@item sparc64-ieee1275 @tab 256KiB @tab 2 MiB
|
||||
@item arm-uboot @tab 256KiB @tab 2 MiB
|
||||
@item mips(el)-qemu_mips @tab 2MiB @tab 253 MiB
|
@ -0,0 +1,268 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Fri, 16 Apr 2021 11:48:46 +1000
|
||||
Subject: [PATCH] ieee1275: request memory with ibm,client-architecture-support
|
||||
|
||||
On PowerVM, the first time we boot a Linux partition, we may only get
|
||||
256MB of real memory area, even if the partition has more memory.
|
||||
|
||||
This isn't really enough. Fortunately, the Power Architecture Platform
|
||||
Reference (PAPR) defines a method we can call to ask for more memory.
|
||||
This is part of the broad and powerful ibm,client-architecture-support
|
||||
(CAS) method.
|
||||
|
||||
CAS can do an enormous amount of things on a PAPR platform: as well as
|
||||
asking for memory, you can set the supported processor level, the interrupt
|
||||
controller, hash vs radix mmu, and so on. We want to touch as little of
|
||||
this as possible because we don't want to step on the toes of the future OS.
|
||||
|
||||
If:
|
||||
|
||||
- we are running under what we think is PowerVM (compatible property of /
|
||||
begins with "IBM"), and
|
||||
|
||||
- the full amount of RMA is less than 512MB (as determined by the reg
|
||||
property of /memory)
|
||||
|
||||
then call CAS as follows: (refer to the Linux on Power Architecture
|
||||
Reference, LoPAR, which is public, at B.5.2.3):
|
||||
|
||||
- Use the "any" PVR value and supply 2 option vectors.
|
||||
|
||||
- Set option vector 1 (PowerPC Server Processor Architecture Level)
|
||||
to "ignore".
|
||||
|
||||
- Set option vector 2 with default or Linux-like options, including a
|
||||
min-rma-size of 512MB.
|
||||
|
||||
This will cause a CAS reboot and the partition will restart with 512MB
|
||||
of RMA. Grub will notice the 512MB and not call CAS again.
|
||||
|
||||
(A partition can be configured with only 256MB of memory, which would
|
||||
mean this request couldn't be satisfied, but PFW refuses to load with
|
||||
only 256MB of memory, so it's a bit moot. SLOF will run fine with 256MB,
|
||||
but we will never call CAS under qemu/SLOF because /compatible won't
|
||||
begin with "IBM".)
|
||||
|
||||
One of the first things Linux does while still running under OpenFirmware
|
||||
is to call CAS with a much fuller set of options (including asking for
|
||||
512MB of memory). This includes a much more restrictive set of PVR values
|
||||
and processor support levels, and this will induce another reboot. On this
|
||||
reboot grub will again notice the higher RMA, and not call CAS. We will get
|
||||
to Linux, Linux will call CAS but because the values are now set for Linux
|
||||
this will not induce another CAS reboot and we will finally boot.
|
||||
|
||||
On all subsequent boots, everything will be configured with 512MB of RMA
|
||||
and all the settings Linux likes, so there will be no further CAS reboots.
|
||||
|
||||
(phyp is super sticky with the RMA size - it persists even on cold boots.
|
||||
So if you've ever booted Linux in a partition, you'll probably never have
|
||||
grub call CAS. It'll only ever fire the first time a partition loads grub,
|
||||
or if you deliberately lower the amount of memory your partition has below
|
||||
512MB.)
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
---
|
||||
grub-core/kern/ieee1275/cmain.c | 3 +
|
||||
grub-core/kern/ieee1275/init.c | 144 ++++++++++++++++++++++++++++++++++++++-
|
||||
include/grub/ieee1275/ieee1275.h | 8 ++-
|
||||
3 files changed, 152 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/grub-core/kern/ieee1275/cmain.c b/grub-core/kern/ieee1275/cmain.c
|
||||
index 3e14f539368..9d5156462c1 100644
|
||||
--- a/grub-core/kern/ieee1275/cmain.c
|
||||
+++ b/grub-core/kern/ieee1275/cmain.c
|
||||
@@ -124,6 +124,9 @@ grub_ieee1275_find_options (void)
|
||||
break;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ if (grub_strncmp (tmp, "IBM,", 4) == 0)
|
||||
+ grub_ieee1275_set_flag (GRUB_IEEE1275_FLAG_CAN_TRY_CAS_FOR_MORE_MEMORY);
|
||||
}
|
||||
|
||||
if (is_smartfirmware)
|
||||
diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
|
||||
index a6e169bd003..adf4bd5a88b 100644
|
||||
--- a/grub-core/kern/ieee1275/init.c
|
||||
+++ b/grub-core/kern/ieee1275/init.c
|
||||
@@ -238,6 +238,135 @@ heap_init (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/* How much memory does OF believe it has? (regardless of whether
|
||||
+ it's accessible or not) */
|
||||
+static grub_err_t
|
||||
+grub_ieee1275_total_mem (grub_uint64_t *total)
|
||||
+{
|
||||
+ grub_ieee1275_phandle_t root;
|
||||
+ grub_ieee1275_phandle_t memory;
|
||||
+ grub_uint32_t reg[4];
|
||||
+ grub_ssize_t reg_size;
|
||||
+ grub_uint32_t address_cells = 1;
|
||||
+ grub_uint32_t size_cells = 1;
|
||||
+ grub_uint64_t size;
|
||||
+
|
||||
+ /* If we fail to get to the end, report 0. */
|
||||
+ *total = 0;
|
||||
+
|
||||
+ /* Determine the format of each entry in `reg'. */
|
||||
+ grub_ieee1275_finddevice ("/", &root);
|
||||
+ grub_ieee1275_get_integer_property (root, "#address-cells", &address_cells,
|
||||
+ sizeof address_cells, 0);
|
||||
+ grub_ieee1275_get_integer_property (root, "#size-cells", &size_cells,
|
||||
+ sizeof size_cells, 0);
|
||||
+
|
||||
+ if (size_cells > address_cells)
|
||||
+ address_cells = size_cells;
|
||||
+
|
||||
+ /* Load `/memory/reg'. */
|
||||
+ if (grub_ieee1275_finddevice ("/memory", &memory))
|
||||
+ return grub_error (GRUB_ERR_UNKNOWN_DEVICE,
|
||||
+ "couldn't find /memory node");
|
||||
+ if (grub_ieee1275_get_integer_property (memory, "reg", reg,
|
||||
+ sizeof reg, ®_size))
|
||||
+ return grub_error (GRUB_ERR_UNKNOWN_DEVICE,
|
||||
+ "couldn't examine /memory/reg property");
|
||||
+ if (reg_size < 0 || (grub_size_t) reg_size > sizeof (reg))
|
||||
+ return grub_error (GRUB_ERR_UNKNOWN_DEVICE,
|
||||
+ "/memory response buffer exceeded");
|
||||
+
|
||||
+ if (grub_ieee1275_test_flag (GRUB_IEEE1275_FLAG_BROKEN_ADDRESS_CELLS))
|
||||
+ {
|
||||
+ address_cells = 1;
|
||||
+ size_cells = 1;
|
||||
+ }
|
||||
+
|
||||
+ /* Decode only the size */
|
||||
+ size = reg[address_cells];
|
||||
+ if (size_cells == 2)
|
||||
+ size = (size << 32) | reg[address_cells + 1];
|
||||
+
|
||||
+ *total = size;
|
||||
+
|
||||
+ return grub_errno;
|
||||
+}
|
||||
+
|
||||
+/* Based on linux - arch/powerpc/kernel/prom_init.c */
|
||||
+struct option_vector2 {
|
||||
+ grub_uint8_t byte1;
|
||||
+ grub_uint16_t reserved;
|
||||
+ grub_uint32_t real_base;
|
||||
+ grub_uint32_t real_size;
|
||||
+ grub_uint32_t virt_base;
|
||||
+ grub_uint32_t virt_size;
|
||||
+ grub_uint32_t load_base;
|
||||
+ grub_uint32_t min_rma;
|
||||
+ grub_uint32_t min_load;
|
||||
+ grub_uint8_t min_rma_percent;
|
||||
+ grub_uint8_t max_pft_size;
|
||||
+} __attribute__((packed));
|
||||
+
|
||||
+struct pvr_entry {
|
||||
+ grub_uint32_t mask;
|
||||
+ grub_uint32_t entry;
|
||||
+};
|
||||
+
|
||||
+struct cas_vector {
|
||||
+ struct {
|
||||
+ struct pvr_entry terminal;
|
||||
+ } pvr_list;
|
||||
+ grub_uint8_t num_vecs;
|
||||
+ grub_uint8_t vec1_size;
|
||||
+ grub_uint8_t vec1;
|
||||
+ grub_uint8_t vec2_size;
|
||||
+ struct option_vector2 vec2;
|
||||
+} __attribute__((packed));
|
||||
+
|
||||
+/* Call ibm,client-architecture-support to try to get more RMA.
|
||||
+ We ask for 512MB which should be enough to verify a distro kernel.
|
||||
+ We ignore most errors: if we don't succeed we'll proceed with whatever
|
||||
+ memory we have. */
|
||||
+static void
|
||||
+grub_ieee1275_ibm_cas (void)
|
||||
+{
|
||||
+ int rc;
|
||||
+ grub_ieee1275_ihandle_t root;
|
||||
+ struct cas_args {
|
||||
+ struct grub_ieee1275_common_hdr common;
|
||||
+ grub_ieee1275_cell_t method;
|
||||
+ grub_ieee1275_ihandle_t ihandle;
|
||||
+ grub_ieee1275_cell_t cas_addr;
|
||||
+ grub_ieee1275_cell_t result;
|
||||
+ } args;
|
||||
+ struct cas_vector vector = {
|
||||
+ .pvr_list = { { 0x00000000, 0xffffffff } }, /* any processor */
|
||||
+ .num_vecs = 2 - 1,
|
||||
+ .vec1_size = 0,
|
||||
+ .vec1 = 0x80, /* ignore */
|
||||
+ .vec2_size = 1 + sizeof(struct option_vector2) - 2,
|
||||
+ .vec2 = {
|
||||
+ 0, 0, -1, -1, -1, -1, -1, 512, -1, 0, 48
|
||||
+ },
|
||||
+ };
|
||||
+
|
||||
+ INIT_IEEE1275_COMMON (&args.common, "call-method", 3, 2);
|
||||
+ args.method = (grub_ieee1275_cell_t)"ibm,client-architecture-support";
|
||||
+ rc = grub_ieee1275_open("/", &root);
|
||||
+ if (rc) {
|
||||
+ grub_error (GRUB_ERR_IO, "could not open root when trying to call CAS");
|
||||
+ return;
|
||||
+ }
|
||||
+ args.ihandle = root;
|
||||
+ args.cas_addr = (grub_ieee1275_cell_t)&vector;
|
||||
+
|
||||
+ grub_printf("Calling ibm,client-architecture-support...");
|
||||
+ IEEE1275_CALL_ENTRY_FN (&args);
|
||||
+ grub_printf("done\n");
|
||||
+
|
||||
+ grub_ieee1275_close(root);
|
||||
+}
|
||||
+
|
||||
static void
|
||||
grub_claim_heap (void)
|
||||
{
|
||||
@@ -245,11 +374,22 @@ grub_claim_heap (void)
|
||||
|
||||
if (grub_ieee1275_test_flag (GRUB_IEEE1275_FLAG_FORCE_CLAIM))
|
||||
{
|
||||
- heap_init (GRUB_IEEE1275_STATIC_HEAP_START, GRUB_IEEE1275_STATIC_HEAP_LEN,
|
||||
- 1, &total);
|
||||
+ heap_init (GRUB_IEEE1275_STATIC_HEAP_START,
|
||||
+ GRUB_IEEE1275_STATIC_HEAP_LEN, 1, &total);
|
||||
return;
|
||||
}
|
||||
|
||||
+ if (grub_ieee1275_test_flag (GRUB_IEEE1275_FLAG_CAN_TRY_CAS_FOR_MORE_MEMORY))
|
||||
+ {
|
||||
+ grub_uint64_t rma_size;
|
||||
+ grub_err_t err;
|
||||
+
|
||||
+ err = grub_ieee1275_total_mem (&rma_size);
|
||||
+ /* if we have an error, don't call CAS, just hope for the best */
|
||||
+ if (!err && rma_size < (512 * 1024 * 1024))
|
||||
+ grub_ieee1275_ibm_cas();
|
||||
+ }
|
||||
+
|
||||
grub_machine_mmap_iterate (heap_size, &total);
|
||||
|
||||
total = total / 4;
|
||||
diff --git a/include/grub/ieee1275/ieee1275.h b/include/grub/ieee1275/ieee1275.h
|
||||
index ca08bd96681..131808d6197 100644
|
||||
--- a/include/grub/ieee1275/ieee1275.h
|
||||
+++ b/include/grub/ieee1275/ieee1275.h
|
||||
@@ -147,7 +147,13 @@ enum grub_ieee1275_flag
|
||||
|
||||
GRUB_IEEE1275_FLAG_CURSORONOFF_ANSI_BROKEN,
|
||||
|
||||
- GRUB_IEEE1275_FLAG_DISABLE_VIDEO_SUPPORT
|
||||
+ GRUB_IEEE1275_FLAG_DISABLE_VIDEO_SUPPORT,
|
||||
+
|
||||
+ /* On PFW, the first time we boot a Linux partition, we may only get 256MB
|
||||
+ of real memory area, even if the partition has more memory. Set this flag
|
||||
+ if we think we're running under PFW. Then, if this flag is set, and the
|
||||
+ RMA is only 256MB in size, try asking for more with CAS. */
|
||||
+ GRUB_IEEE1275_FLAG_CAN_TRY_CAS_FOR_MORE_MEMORY,
|
||||
};
|
||||
|
||||
extern int EXPORT_FUNC(grub_ieee1275_test_flag) (enum grub_ieee1275_flag flag);
|
@ -0,0 +1,315 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Date: Sat, 8 May 2021 02:27:58 +0200
|
||||
Subject: [PATCH] appendedsig/x509: Also handle the Extended Key Usage
|
||||
extension
|
||||
|
||||
Red Hat certificates have both Key Usage and Extended Key Usage extensions
|
||||
present, but the appended signatures x509 parser doesn't handle the latter
|
||||
and so buils due finding an unrecognised critical extension:
|
||||
|
||||
Error loading initial key:
|
||||
../../grub-core/commands/appendedsig/x509.c:780:Unhandled critical x509 extension with OID 2.5.29.37
|
||||
|
||||
Fix this by also parsing the Extended Key Usage extension and handle it by
|
||||
verifying that the certificate has a single purpose, that is code signing.
|
||||
|
||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
---
|
||||
grub-core/commands/appendedsig/x509.c | 94 ++++++++++++++++++++++++++++++-
|
||||
grub-core/tests/appended_signature_test.c | 29 +++++++++-
|
||||
grub-core/tests/appended_signatures.h | 81 ++++++++++++++++++++++++++
|
||||
3 files changed, 201 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/grub-core/commands/appendedsig/x509.c b/grub-core/commands/appendedsig/x509.c
|
||||
index 652e4f16870..34a2070a7c9 100644
|
||||
--- a/grub-core/commands/appendedsig/x509.c
|
||||
+++ b/grub-core/commands/appendedsig/x509.c
|
||||
@@ -47,6 +47,12 @@ const char *keyUsage_oid = "2.5.29.15";
|
||||
*/
|
||||
const char *basicConstraints_oid = "2.5.29.19";
|
||||
|
||||
+/*
|
||||
+ * RFC 5280 4.2.1.12 Extended Key Usage
|
||||
+ */
|
||||
+const char *extendedKeyUsage_oid = "2.5.29.37";
|
||||
+const char *codeSigningUsage_oid = "1.3.6.1.5.5.7.3.3";
|
||||
+
|
||||
/*
|
||||
* RFC 3279 2.3.1
|
||||
*
|
||||
@@ -651,6 +657,77 @@ cleanup:
|
||||
return err;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
|
||||
+ *
|
||||
+ * KeyPurposeId ::= OBJECT IDENTIFIER
|
||||
+ */
|
||||
+static grub_err_t
|
||||
+verify_extended_key_usage (grub_uint8_t * value, int value_size)
|
||||
+{
|
||||
+ asn1_node extendedasn;
|
||||
+ int result, count;
|
||||
+ grub_err_t err = GRUB_ERR_NONE;
|
||||
+ char usage[MAX_OID_LEN];
|
||||
+ int usage_size = sizeof (usage);
|
||||
+
|
||||
+ result =
|
||||
+ asn1_create_element (_gnutls_pkix_asn, "PKIX1.ExtKeyUsageSyntax",
|
||||
+ &extendedasn);
|
||||
+ if (result != ASN1_SUCCESS)
|
||||
+ {
|
||||
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY,
|
||||
+ "Could not create ASN.1 structure for Extended Key Usage");
|
||||
+ }
|
||||
+
|
||||
+ result = asn1_der_decoding2 (&extendedasn, value, &value_size,
|
||||
+ ASN1_DECODE_FLAG_STRICT_DER, asn1_error);
|
||||
+ if (result != ASN1_SUCCESS)
|
||||
+ {
|
||||
+ err =
|
||||
+ grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||||
+ "Error parsing DER for Extended Key Usage: %s",
|
||||
+ asn1_error);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * If EKUs are present, there must be exactly 1 and it must be a
|
||||
+ * codeSigning usage.
|
||||
+ */
|
||||
+ result = asn1_number_of_elements(extendedasn, "", &count);
|
||||
+ if (result != ASN1_SUCCESS)
|
||||
+ {
|
||||
+ err =
|
||||
+ grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||||
+ "Error counting number of Extended Key Usages: %s",
|
||||
+ asn1_strerror (result));
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
+ result = asn1_read_value (extendedasn, "?1", usage, &usage_size);
|
||||
+ if (result != ASN1_SUCCESS)
|
||||
+ {
|
||||
+ err =
|
||||
+ grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||||
+ "Error reading Extended Key Usage: %s",
|
||||
+ asn1_strerror (result));
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
+ if (grub_strncmp (codeSigningUsage_oid, usage, usage_size) != 0)
|
||||
+ {
|
||||
+ err =
|
||||
+ grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||||
+ "Unexpected Extended Key Usage OID, got: %s",
|
||||
+ usage);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
+cleanup:
|
||||
+ asn1_delete_structure (&extendedasn);
|
||||
+ return err;
|
||||
+}
|
||||
|
||||
/*
|
||||
* Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
|
||||
@@ -674,7 +751,7 @@ verify_extensions (asn1_node cert)
|
||||
{
|
||||
int result;
|
||||
int ext, num_extensions = 0;
|
||||
- int usage_present = 0, constraints_present = 0;
|
||||
+ int usage_present = 0, constraints_present = 0, extended_usage_present = 0;
|
||||
char *oid_path, *critical_path, *value_path;
|
||||
char extnID[MAX_OID_LEN];
|
||||
int extnID_size;
|
||||
@@ -768,6 +845,15 @@ verify_extensions (asn1_node cert)
|
||||
}
|
||||
constraints_present++;
|
||||
}
|
||||
+ else if (grub_strncmp (extendedKeyUsage_oid, extnID, extnID_size) == 0)
|
||||
+ {
|
||||
+ err = verify_extended_key_usage (value, value_size);
|
||||
+ if (err != GRUB_ERR_NONE)
|
||||
+ {
|
||||
+ goto cleanup_value;
|
||||
+ }
|
||||
+ extended_usage_present++;
|
||||
+ }
|
||||
else if (grub_strncmp ("TRUE", critical, critical_size) == 0)
|
||||
{
|
||||
/*
|
||||
@@ -799,6 +885,12 @@ verify_extensions (asn1_node cert)
|
||||
"Unexpected number of basic constraints extensions - expected 1, got %d",
|
||||
constraints_present);
|
||||
}
|
||||
+ if (extended_usage_present > 1)
|
||||
+ {
|
||||
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||||
+ "Unexpected number of Extended Key Usage extensions - expected 0 or 1, got %d",
|
||||
+ extended_usage_present);
|
||||
+ }
|
||||
return GRUB_ERR_NONE;
|
||||
|
||||
cleanup_value:
|
||||
diff --git a/grub-core/tests/appended_signature_test.c b/grub-core/tests/appended_signature_test.c
|
||||
index 88a485200d8..dbba0616621 100644
|
||||
--- a/grub-core/tests/appended_signature_test.c
|
||||
+++ b/grub-core/tests/appended_signature_test.c
|
||||
@@ -111,6 +111,22 @@ static struct grub_procfs_entry certificate_printable_der_entry = {
|
||||
.get_contents = get_certificate_printable_der
|
||||
};
|
||||
|
||||
+static char *
|
||||
+get_certificate_eku_der (grub_size_t * sz)
|
||||
+{
|
||||
+ char *ret;
|
||||
+ *sz = certificate_eku_der_len;
|
||||
+ ret = grub_malloc (*sz);
|
||||
+ if (ret)
|
||||
+ grub_memcpy (ret, certificate_eku_der, *sz);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static struct grub_procfs_entry certificate_eku_der_entry = {
|
||||
+ .name = "certificate_eku.der",
|
||||
+ .get_contents = get_certificate_eku_der
|
||||
+};
|
||||
+
|
||||
|
||||
static void
|
||||
do_verify (const char *f, int is_valid)
|
||||
@@ -149,6 +165,7 @@ appended_signature_test (void)
|
||||
char *trust_args2[] = { (char *) "(proc)/certificate2.der", NULL };
|
||||
char *trust_args_printable[] = { (char *) "(proc)/certificate_printable.der",
|
||||
NULL };
|
||||
+ char *trust_args_eku[] = { (char *) "(proc)/certificate_eku.der", NULL };
|
||||
char *distrust_args[] = { (char *) "1", NULL };
|
||||
char *distrust2_args[] = { (char *) "2", NULL };
|
||||
grub_err_t err;
|
||||
@@ -157,6 +174,7 @@ appended_signature_test (void)
|
||||
grub_procfs_register ("certificate2.der", &certificate2_der_entry);
|
||||
grub_procfs_register ("certificate_printable.der",
|
||||
&certificate_printable_der_entry);
|
||||
+ grub_procfs_register ("certificate_eku.der", &certificate_eku_der_entry);
|
||||
|
||||
cmd_trust = grub_command_find ("trust_certificate");
|
||||
if (!cmd_trust)
|
||||
@@ -266,16 +284,23 @@ appended_signature_test (void)
|
||||
|
||||
/*
|
||||
* Lastly, check a certificate that uses printableString rather than
|
||||
- * utf8String loads properly.
|
||||
+ * utf8String loads properly, and that a certificate with an appropriate
|
||||
+ * extended key usage loads.
|
||||
*/
|
||||
err = (cmd_trust->func) (cmd_trust, 1, trust_args_printable);
|
||||
grub_test_assert (err == GRUB_ERR_NONE,
|
||||
- "distrusting printable certificate failed: %d: %s",
|
||||
+ "trusting printable certificate failed: %d: %s",
|
||||
+ grub_errno, grub_errmsg);
|
||||
+
|
||||
+ err = (cmd_trust->func) (cmd_trust, 1, trust_args_eku);
|
||||
+ grub_test_assert (err == GRUB_ERR_NONE,
|
||||
+ "trusting certificate with extended key usage failed: %d: %s",
|
||||
grub_errno, grub_errmsg);
|
||||
|
||||
grub_procfs_unregister (&certificate_der_entry);
|
||||
grub_procfs_unregister (&certificate2_der_entry);
|
||||
grub_procfs_unregister (&certificate_printable_der_entry);
|
||||
+ grub_procfs_unregister (&certificate_eku_der_entry);
|
||||
}
|
||||
|
||||
GRUB_FUNCTIONAL_TEST (appended_signature_test, appended_signature_test);
|
||||
diff --git a/grub-core/tests/appended_signatures.h b/grub-core/tests/appended_signatures.h
|
||||
index aa3dc6278e3..2e5ebd7d8bd 100644
|
||||
--- a/grub-core/tests/appended_signatures.h
|
||||
+++ b/grub-core/tests/appended_signatures.h
|
||||
@@ -555,3 +555,84 @@ unsigned char certificate_printable_der[] = {
|
||||
0xd2
|
||||
};
|
||||
unsigned int certificate_printable_der_len = 829;
|
||||
+
|
||||
+unsigned char certificate_eku_der[] = {
|
||||
+ 0x30, 0x82, 0x03, 0x90, 0x30, 0x82, 0x02, 0x78, 0xa0, 0x03, 0x02, 0x01,
|
||||
+ 0x02, 0x02, 0x09, 0x00, 0xd3, 0x9c, 0x41, 0x33, 0xdd, 0x6b, 0x5f, 0x45,
|
||||
+ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
|
||||
+ 0x0b, 0x05, 0x00, 0x30, 0x47, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55,
|
||||
+ 0x04, 0x03, 0x0c, 0x18, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20,
|
||||
+ 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20,
|
||||
+ 0x43, 0x41, 0x20, 0x36, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2a, 0x86,
|
||||
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, 0x63,
|
||||
+ 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74,
|
||||
+ 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x32,
|
||||
+ 0x31, 0x35, 0x31, 0x34, 0x30, 0x30, 0x34, 0x34, 0x5a, 0x17, 0x0d, 0x33,
|
||||
+ 0x38, 0x30, 0x31, 0x31, 0x37, 0x31, 0x34, 0x30, 0x30, 0x34, 0x34, 0x5a,
|
||||
+ 0x30, 0x4e, 0x31, 0x28, 0x30, 0x26, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
|
||||
+ 0x1f, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63,
|
||||
+ 0x75, 0x72, 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x53, 0x69, 0x67,
|
||||
+ 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x36, 0x30, 0x32, 0x31, 0x22, 0x30, 0x20,
|
||||
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16,
|
||||
+ 0x13, 0x73, 0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65,
|
||||
+ 0x64, 0x68, 0x61, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22,
|
||||
+ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
|
||||
+ 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a,
|
||||
+ 0x02, 0x82, 0x01, 0x01, 0x00, 0xaa, 0x6f, 0xbb, 0x92, 0x77, 0xd7, 0x15,
|
||||
+ 0xef, 0x88, 0x80, 0x88, 0xc0, 0xe7, 0x89, 0xeb, 0x35, 0x76, 0xf4, 0x85,
|
||||
+ 0x05, 0x0f, 0x19, 0xe4, 0x5f, 0x25, 0xdd, 0xc1, 0xa2, 0xe5, 0x5c, 0x06,
|
||||
+ 0xfb, 0xf1, 0x06, 0xb5, 0x65, 0x45, 0xcb, 0xbd, 0x19, 0x33, 0x54, 0xb5,
|
||||
+ 0x1a, 0xcd, 0xe4, 0xa8, 0x35, 0x2a, 0xfe, 0x9c, 0x53, 0xf4, 0xc6, 0x76,
|
||||
+ 0xdb, 0x1f, 0x8a, 0xd4, 0x7b, 0x18, 0x11, 0xaf, 0xa3, 0x90, 0xd4, 0xdd,
|
||||
+ 0x4d, 0xd5, 0x42, 0xcc, 0x14, 0x9a, 0x64, 0x6b, 0xc0, 0x7f, 0xaa, 0x1c,
|
||||
+ 0x94, 0x47, 0x4d, 0x79, 0xbd, 0x57, 0x9a, 0xbf, 0x99, 0x4e, 0x96, 0xa9,
|
||||
+ 0x31, 0x2c, 0xa9, 0xe7, 0x14, 0x65, 0x86, 0xc8, 0xac, 0x79, 0x5e, 0x78,
|
||||
+ 0xa4, 0x3c, 0x00, 0x24, 0xd3, 0xf7, 0xe1, 0xf5, 0x12, 0xad, 0xa0, 0x29,
|
||||
+ 0xe5, 0xfe, 0x80, 0xae, 0xf8, 0xaa, 0x60, 0x36, 0xe7, 0xe8, 0x94, 0xcb,
|
||||
+ 0xe9, 0xd1, 0xcc, 0x0b, 0x4d, 0xf7, 0xde, 0xeb, 0x52, 0xd2, 0x73, 0x09,
|
||||
+ 0x28, 0xdf, 0x48, 0x99, 0x53, 0x9f, 0xc5, 0x9a, 0xd4, 0x36, 0xa3, 0xc6,
|
||||
+ 0x5e, 0x8d, 0xbe, 0xd5, 0xdc, 0x76, 0xb4, 0x74, 0xb8, 0x26, 0x18, 0x27,
|
||||
+ 0xfb, 0xf2, 0xfb, 0xd0, 0x9b, 0x3d, 0x7f, 0x10, 0xe2, 0xab, 0x44, 0xc7,
|
||||
+ 0x88, 0x7f, 0xb4, 0x3d, 0x3e, 0xa3, 0xff, 0x6d, 0x06, 0x4b, 0x3e, 0x55,
|
||||
+ 0xb2, 0x84, 0xf4, 0xad, 0x54, 0x88, 0x81, 0xc3, 0x9c, 0xf8, 0xb6, 0x68,
|
||||
+ 0x96, 0x38, 0x8b, 0xcd, 0x90, 0x6d, 0x25, 0x4b, 0xbf, 0x0c, 0x44, 0x90,
|
||||
+ 0xa5, 0x5b, 0x98, 0xd0, 0x40, 0x2f, 0xbb, 0x0d, 0xa8, 0x4b, 0x8a, 0x62,
|
||||
+ 0x82, 0x46, 0x46, 0x18, 0x38, 0xae, 0x82, 0x07, 0xd0, 0xb4, 0x2f, 0x16,
|
||||
+ 0x79, 0x55, 0x9f, 0x1b, 0xc5, 0x08, 0x6d, 0x85, 0xdf, 0x3f, 0xa9, 0x9b,
|
||||
+ 0x4b, 0xc6, 0x28, 0xd3, 0x58, 0x72, 0x3d, 0x37, 0x11, 0x02, 0x03, 0x01,
|
||||
+ 0x00, 0x01, 0xa3, 0x78, 0x30, 0x76, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d,
|
||||
+ 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0e, 0x06, 0x03,
|
||||
+ 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80,
|
||||
+ 0x30, 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff, 0x04, 0x0c,
|
||||
+ 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03,
|
||||
+ 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x6c,
|
||||
+ 0xe4, 0x6c, 0x27, 0xaa, 0xcd, 0x0d, 0x4b, 0x74, 0x21, 0xa4, 0xf6, 0x5f,
|
||||
+ 0x87, 0xb5, 0x31, 0xfe, 0x10, 0xbb, 0xa7, 0x30, 0x1f, 0x06, 0x03, 0x55,
|
||||
+ 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xe8, 0x6a, 0x1c, 0xab,
|
||||
+ 0x2c, 0x48, 0xf9, 0x60, 0x36, 0xa2, 0xf0, 0x7b, 0x8e, 0xd2, 0x9d, 0xb4,
|
||||
+ 0x2a, 0x28, 0x98, 0xc8, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
|
||||
+ 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
|
||||
+ 0x55, 0x34, 0xe2, 0xfa, 0xf6, 0x89, 0x86, 0xad, 0x92, 0x21, 0xec, 0xb9,
|
||||
+ 0x54, 0x0e, 0x18, 0x47, 0x0d, 0x1b, 0xa7, 0x58, 0xad, 0x69, 0xe4, 0xef,
|
||||
+ 0x3b, 0xe6, 0x8d, 0xdd, 0xda, 0x0c, 0x45, 0xf6, 0xe8, 0x96, 0xa4, 0x29,
|
||||
+ 0x0f, 0xbb, 0xcf, 0x16, 0xae, 0x93, 0xd0, 0xcb, 0x2a, 0x26, 0x1a, 0x7b,
|
||||
+ 0xfc, 0x51, 0x22, 0x76, 0x98, 0x31, 0xa7, 0x0f, 0x29, 0x35, 0x79, 0xbf,
|
||||
+ 0xe2, 0x4f, 0x0f, 0x14, 0xf5, 0x1f, 0xcb, 0xbf, 0x87, 0x65, 0x13, 0x32,
|
||||
+ 0xa3, 0x19, 0x4a, 0xd1, 0x3f, 0x45, 0xd4, 0x4b, 0xe2, 0x00, 0x26, 0xa9,
|
||||
+ 0x3e, 0xd7, 0xa5, 0x37, 0x9f, 0xf5, 0xad, 0x61, 0xe2, 0x40, 0xa9, 0x74,
|
||||
+ 0x24, 0x53, 0xf2, 0x78, 0xeb, 0x10, 0x9b, 0x2c, 0x27, 0x88, 0x46, 0xcb,
|
||||
+ 0xe4, 0x60, 0xca, 0xf5, 0x06, 0x24, 0x40, 0x2a, 0x97, 0x3a, 0xcc, 0xd0,
|
||||
+ 0x81, 0xb1, 0x15, 0xa3, 0x4f, 0xd0, 0x2b, 0x4f, 0xca, 0x6e, 0xaa, 0x24,
|
||||
+ 0x31, 0xb3, 0xac, 0xa6, 0x75, 0x05, 0xfe, 0x8a, 0xf4, 0x41, 0xc4, 0x06,
|
||||
+ 0x8a, 0xc7, 0x0a, 0x83, 0x4e, 0x49, 0xd4, 0x3f, 0x83, 0x50, 0xec, 0x57,
|
||||
+ 0x04, 0x97, 0x14, 0x49, 0xf5, 0xe1, 0xb1, 0x7a, 0x9c, 0x09, 0x4f, 0x61,
|
||||
+ 0x87, 0xc3, 0x97, 0x22, 0x17, 0xc2, 0xeb, 0xcc, 0x32, 0x81, 0x31, 0x21,
|
||||
+ 0x3f, 0x10, 0x57, 0x5b, 0x43, 0xbe, 0xcd, 0x68, 0x82, 0xbe, 0xe5, 0xc1,
|
||||
+ 0x65, 0x94, 0x7e, 0xc2, 0x34, 0x76, 0x2b, 0xcf, 0x89, 0x3c, 0x2b, 0x81,
|
||||
+ 0x23, 0x72, 0x95, 0xcf, 0xc9, 0x67, 0x19, 0x2a, 0xd5, 0x5c, 0xca, 0xa3,
|
||||
+ 0x46, 0xbd, 0x48, 0x06, 0x0b, 0xa6, 0xa3, 0x96, 0x50, 0x28, 0xc7, 0x7e,
|
||||
+ 0xcf, 0x62, 0xf2, 0xfa, 0xc4, 0xf2, 0x53, 0xe3, 0xc9, 0xe8, 0x2e, 0xdd,
|
||||
+ 0x29, 0x37, 0x07, 0x47, 0xff, 0xff, 0x8a, 0x32, 0xbd, 0xa2, 0xb7, 0x21,
|
||||
+ 0x89, 0xa0, 0x55, 0xf7
|
||||
+};
|
||||
+unsigned int certificate_eku_der_len = 916;
|
@ -0,0 +1,123 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||
Date: Thu, 8 Jul 2021 16:39:39 +0200
|
||||
Subject: [PATCH] normal/main: Discover the device to read the config from as a
|
||||
fallback
|
||||
|
||||
The GRUB core.img is generated locally, when this is done the grub2-probe
|
||||
tool figures out the device and partition that needs to be read to parse
|
||||
the GRUB configuration file.
|
||||
|
||||
But in some cases the core.img can't be generated on the host and instead
|
||||
has to be done at package build time. For example, if needs to get signed
|
||||
with a key that's only available on the package building infrastructure.
|
||||
|
||||
If that's the case, the prefix variable won't have a device and partition
|
||||
but only a directory path. So there's no way for GRUB to know from which
|
||||
device has to read the configuration file.
|
||||
|
||||
To allow GRUB to continue working on that scenario, fallback to iterating
|
||||
over all the available devices, if reading the config failed when using
|
||||
the prefix and fw_path variables.
|
||||
|
||||
Related: rhbz#1899864
|
||||
|
||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
---
|
||||
grub-core/normal/main.c | 58 +++++++++++++++++++++++++++++++++++++++++++------
|
||||
1 file changed, 51 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
|
||||
index 49141039f8f..93f33c16732 100644
|
||||
--- a/grub-core/normal/main.c
|
||||
+++ b/grub-core/normal/main.c
|
||||
@@ -333,16 +333,11 @@ grub_enter_normal_mode (const char *config)
|
||||
}
|
||||
|
||||
static grub_err_t
|
||||
-grub_try_normal (const char *variable)
|
||||
+grub_try_normal_prefix (const char *prefix)
|
||||
{
|
||||
char *config;
|
||||
- const char *prefix;
|
||||
grub_err_t err = GRUB_ERR_FILE_NOT_FOUND;
|
||||
|
||||
- prefix = grub_env_get (variable);
|
||||
- if (!prefix)
|
||||
- return GRUB_ERR_FILE_NOT_FOUND;
|
||||
-
|
||||
if (grub_strncmp (prefix + 1, "tftp", sizeof ("tftp") - 1) == 0)
|
||||
{
|
||||
grub_size_t config_len;
|
||||
@@ -351,7 +346,7 @@ grub_try_normal (const char *variable)
|
||||
config = grub_malloc (config_len);
|
||||
|
||||
if (! config)
|
||||
- return GRUB_ERR_FILE_NOT_FOUND;
|
||||
+ return err;
|
||||
|
||||
grub_snprintf (config, config_len, "%s/grub.cfg", prefix);
|
||||
err = grub_net_search_configfile (config);
|
||||
@@ -380,6 +375,53 @@ grub_try_normal (const char *variable)
|
||||
return err;
|
||||
}
|
||||
|
||||
+static int
|
||||
+grub_try_normal_dev (const char *name, void *data)
|
||||
+{
|
||||
+ grub_err_t err;
|
||||
+ const char *prefix = grub_xasprintf ("(%s)%s", name, (char *)data);
|
||||
+
|
||||
+ if (!prefix)
|
||||
+ return 0;
|
||||
+
|
||||
+ err = grub_try_normal_prefix (prefix);
|
||||
+ if (err == GRUB_ERR_NONE)
|
||||
+ return 1;
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static grub_err_t
|
||||
+grub_try_normal_discover (void)
|
||||
+{
|
||||
+ char *prefix = grub_env_get ("prefix");
|
||||
+ grub_err_t err = GRUB_ERR_FILE_NOT_FOUND;
|
||||
+
|
||||
+ if (!prefix)
|
||||
+ return err;
|
||||
+
|
||||
+ if (grub_device_iterate (grub_try_normal_dev, (void *)prefix))
|
||||
+ return GRUB_ERR_NONE;
|
||||
+
|
||||
+ return err;
|
||||
+}
|
||||
+
|
||||
+static grub_err_t
|
||||
+grub_try_normal (const char *variable)
|
||||
+{
|
||||
+ grub_err_t err = GRUB_ERR_FILE_NOT_FOUND;
|
||||
+ const char *prefix;
|
||||
+
|
||||
+ if (!variable)
|
||||
+ return err;
|
||||
+
|
||||
+ prefix = grub_env_get (variable);
|
||||
+ if (!prefix)
|
||||
+ return err;
|
||||
+
|
||||
+ return grub_try_normal_prefix (prefix);
|
||||
+}
|
||||
+
|
||||
/* Enter normal mode from rescue mode. */
|
||||
static grub_err_t
|
||||
grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
|
||||
@@ -394,6 +436,8 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
|
||||
err = grub_try_normal ("fw_path");
|
||||
if (err == GRUB_ERR_FILE_NOT_FOUND)
|
||||
err = grub_try_normal ("prefix");
|
||||
+ if (err == GRUB_ERR_FILE_NOT_FOUND)
|
||||
+ err = grub_try_normal_discover ();
|
||||
if (err == GRUB_ERR_FILE_NOT_FOUND)
|
||||
grub_enter_normal_mode (0);
|
||||
}
|
@ -0,0 +1,75 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Mon, 19 Jul 2021 14:35:55 +1000
|
||||
Subject: [PATCH] powerpc: adjust setting of prefix for signed binary case
|
||||
|
||||
On RHEL-signed powerpc grub, we sign a grub with -p /grub2 and expect
|
||||
that there's a boot partition.
|
||||
|
||||
Unfortunately grub_set_prefix_and_root tries to convert this to
|
||||
($fwdevice)/grub2. This ends up being (ieee1275/disk)/grub2 and that
|
||||
falls apart pretty quickly - there's no file-system on ieee1275/disk,
|
||||
and it makes the search routine try things like
|
||||
(ieee1275/disk,msdos2)(ieee1275/disk)/grub2 which also doesn't work.
|
||||
|
||||
Detect if we would be about to create (ieee1275/disk)/path and don't:
|
||||
preserve a prefix of /path instead and hope the search later finds us.
|
||||
|
||||
Related: rhbz#1899864
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
---
|
||||
grub-core/kern/main.c | 38 +++++++++++++++++++++++++++++++++-----
|
||||
1 file changed, 33 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
|
||||
index 9bf6a8b231a..25dbcfef1f6 100644
|
||||
--- a/grub-core/kern/main.c
|
||||
+++ b/grub-core/kern/main.c
|
||||
@@ -215,13 +215,41 @@ grub_set_prefix_and_root (void)
|
||||
if (device)
|
||||
{
|
||||
char *prefix_set;
|
||||
-
|
||||
- prefix_set = grub_xasprintf ("(%s)%s", device, path ? : "");
|
||||
- if (prefix_set)
|
||||
+
|
||||
+#ifdef __powerpc__
|
||||
+ /* We have to be careful here on powerpc-ieee1275 + signed grub. We
|
||||
+ will have signed something with a prefix that doesn't have a device
|
||||
+ because we cannot know in advance what partition we're on.
|
||||
+
|
||||
+ We will have had !device earlier, so we will have set device=fwdevice
|
||||
+ However, we want to make sure we do not end up setting prefix to be
|
||||
+ ($fwdevice)/path, because we will then end up trying to boot or search
|
||||
+ based on a prefix of (ieee1275/disk)/path, which will not work because
|
||||
+ it's missing a partition.
|
||||
+
|
||||
+ Also:
|
||||
+ - You can end up with a device with an FS directly on it, without
|
||||
+ a partition, e.g. ieee1275/cdrom.
|
||||
+
|
||||
+ - powerpc-ieee1275 + grub-install sets e.g. prefix=(,gpt2)/path,
|
||||
+ which will have now been extended to device=$fwdisk,partition
|
||||
+ and path=/path
|
||||
+
|
||||
+ So we only need to act if device = ieee1275/disk exactly.
|
||||
+ */
|
||||
+ if (grub_strncmp (device, "ieee1275/disk", 14) == 0)
|
||||
+ grub_env_set ("prefix", path);
|
||||
+ else
|
||||
+#endif
|
||||
{
|
||||
- grub_env_set ("prefix", prefix_set);
|
||||
- grub_free (prefix_set);
|
||||
+ prefix_set = grub_xasprintf ("(%s)%s", device, path ? : "");
|
||||
+ if (prefix_set)
|
||||
+ {
|
||||
+ grub_env_set ("prefix", prefix_set);
|
||||
+ grub_free (prefix_set);
|
||||
+ }
|
||||
}
|
||||
+
|
||||
grub_env_set ("root", device);
|
||||
}
|
||||
|
@ -0,0 +1,43 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Axtens <dja@axtens.net>
|
||||
Date: Mon, 16 Aug 2021 16:01:47 +1000
|
||||
Subject: [PATCH] powerpc: fix prefix + signed grub special case for PowerVM
|
||||
|
||||
Mea culpa: when testing the PowerPC special case for signed grub, I
|
||||
assumed qemu and PowerVM would behave identically. This was wrong, and
|
||||
with hindsight a pretty dumb error.
|
||||
|
||||
This fixes it. This time, I am actually testing on PowerVM.
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
---
|
||||
grub-core/kern/main.c | 15 +++++++++++++--
|
||||
1 file changed, 13 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
|
||||
index 25dbcfef1f6..40a709117f1 100644
|
||||
--- a/grub-core/kern/main.c
|
||||
+++ b/grub-core/kern/main.c
|
||||
@@ -235,9 +235,20 @@ grub_set_prefix_and_root (void)
|
||||
which will have now been extended to device=$fwdisk,partition
|
||||
and path=/path
|
||||
|
||||
- So we only need to act if device = ieee1275/disk exactly.
|
||||
+ - PowerVM will give us device names like
|
||||
+ ieee1275//vdevice/v-scsi@3000006c/disk@8100000000000000
|
||||
+ and we don't want to try to encode some sort of truth table about
|
||||
+ what sorts of paths represent disks with partition tables and those
|
||||
+ without partition tables.
|
||||
+
|
||||
+ So we act unless there is a comma in the device, which would indicate
|
||||
+ a partition has already been specified.
|
||||
+
|
||||
+ (If we only have a path, the code in normal to discover config files
|
||||
+ will try both without partitions and then with any partitions so we
|
||||
+ will cover both CDs and HDs.)
|
||||
*/
|
||||
- if (grub_strncmp (device, "ieee1275/disk", 14) == 0)
|
||||
+ if (grub_strchr (device, ',') == NULL)
|
||||
grub_env_set ("prefix", path);
|
||||
else
|
||||
#endif
|
@ -75,6 +75,14 @@ case "$COMMAND" in
|
||||
command -v restorecon &>/dev/null && \
|
||||
restorecon "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac"
|
||||
fi
|
||||
# symvers is symvers-<version>.gz symlink, needs a special treatment
|
||||
i="$KERNEL_DIR/symvers.gz"
|
||||
if [[ -e "$i" ]]; then
|
||||
rm -f "/boot/symvers-${KERNEL_VERSION}.gz"
|
||||
ln -s "$i" "/boot/symvers-${KERNEL_VERSION}.gz"
|
||||
command -v restorecon &>/dev/null && \
|
||||
restorecon "/boot/symvers-${KERNEL_VERSION}.gz"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [[ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]] || [[ ! -f /sbin/new-kernel-pkg ]]; then
|
||||
@ -154,6 +162,8 @@ case "$COMMAND" in
|
||||
done
|
||||
# hmac is .vmlinuz-<version>.hmac so needs a special treatment
|
||||
rm -f "/boot/.vmlinuz-${KERNEL_VERSION}.hmac"
|
||||
# symvers is symvers-<version>.gz symlink, needs a special treatment
|
||||
rm -f "/boot/symvers-${KERNEL_VERSION}.gz"
|
||||
|
||||
exit 0
|
||||
fi
|
||||
|
@ -71,6 +71,7 @@
|
||||
%global with_legacy_arch 0
|
||||
%global grubefiarch %{nil}
|
||||
%global grublegacyarch %{nil}
|
||||
%global grubelfname %{nil}
|
||||
|
||||
# sparc is always compiled 64 bit
|
||||
%ifarch %{sparc}
|
||||
@ -108,13 +109,24 @@
|
||||
%{!?with_efi_only:%global without_efi_only 0}
|
||||
%{?with_efi_only:%global without_efi_only 1}
|
||||
|
||||
### fixme
|
||||
%ifarch aarch64 %{arm}
|
||||
%global platform_modules " "
|
||||
%else
|
||||
|
||||
%ifarch %{efi_arch}
|
||||
%global efi_modules " efi_netfs efifwsetup efinet lsefi lsefimmap "
|
||||
%endif
|
||||
|
||||
%ifarch x86_64 %{ix86}
|
||||
%global platform_modules " backtrace chain usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard "
|
||||
%endif
|
||||
|
||||
%ifarch ppc64le
|
||||
%global platform_modules " appendedsig "
|
||||
%endif
|
||||
|
||||
%ifarch aarch64 %{arm}
|
||||
%global platform_modules " "
|
||||
%endif
|
||||
|
||||
|
||||
%ifarch aarch64 %{arm}
|
||||
%global legacy_provides -l
|
||||
%endif
|
||||
@ -203,6 +215,7 @@
|
||||
%global with_legacy_arch 1
|
||||
%global grublegacyarch %{legacy_target_cpu_name}-%{platform}
|
||||
%global moduledir %{legacy_target_cpu_name}-%{platform}
|
||||
%global grubelfname core.elf
|
||||
%endif
|
||||
|
||||
%global evr %{epoch}:%{version}-%{release}
|
||||
@ -366,45 +379,85 @@ for x in grub-mkimage ; do \\\
|
||||
done \
|
||||
%{nil}
|
||||
|
||||
%global grub_modules " all_video boot blscfg btrfs \\\
|
||||
cat configfile cryptodisk echo ext2 \\\
|
||||
fat font gcry_rijndael gcry_rsa gcry_serpent \\\
|
||||
gcry_sha256 gcry_twofish gcry_whirlpool \\\
|
||||
gfxmenu gfxterm gzio halt hfsplus http \\\
|
||||
increment iso9660 jpeg loadenv loopback linux \\\
|
||||
lvm luks mdraid09 mdraid1x minicmd net \\\
|
||||
normal part_apple part_msdos part_gpt \\\
|
||||
password_pbkdf2 png reboot regexp search \\\
|
||||
search_fs_uuid search_fs_file search_label \\\
|
||||
serial sleep syslinuxcfg test tftp video xfs" \
|
||||
|
||||
%ifarch x86_64 aarch64 %{arm}
|
||||
%define mkimage() \
|
||||
%define efi_mkimage() \
|
||||
%{4}./grub-mkimage -O %{1} -o %{2}.orig \\\
|
||||
-p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES} \\\
|
||||
--sbat %{4}./sbat.csv \
|
||||
-p /EFI/%{efi_vendor} -d grub-core \\\
|
||||
--sbat %{4}./sbat.csv \\\
|
||||
${GRUB_MODULES} \
|
||||
%{4}./grub-mkimage -O %{1} -o %{3}.orig \\\
|
||||
-p /EFI/BOOT -d grub-core ${GRUB_MODULES} \\\
|
||||
--sbat %{4}./sbat.csv \
|
||||
-p /EFI/BOOT -d grub-core \\\
|
||||
--sbat %{4}./sbat.csv \\\
|
||||
${GRUB_MODULES} \
|
||||
%{expand:%%{pesign -s -i %%{2}.orig -o %%{2}.one -a %%{5} -c %%{6} -n %%{7}}} \
|
||||
%{expand:%%{pesign -s -i %%{3}.orig -o %%{3}.one -a %%{5} -c %%{6} -n %%{7}}} \
|
||||
%{expand:%%{pesign -s -i %%{2}.one -o %%{2} -a %%{8} -c %%{9} -n %%{10}}} \
|
||||
%{expand:%%{pesign -s -i %%{3}.one -o %%{3} -a %%{8} -c %%{9} -n %%{10}}} \
|
||||
%{nil}
|
||||
%else
|
||||
%define mkimage() \
|
||||
%define efi_mkimage() \
|
||||
%{4}./grub-mkimage -O %{1} -o %{2} \\\
|
||||
-p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES} \
|
||||
-p /EFI/%{efi_vendor} -d grub-core \\\
|
||||
${GRUB_MODULES} \
|
||||
%{4}./grub-mkimage -O %{1} -o %{3} \\\
|
||||
-p /EFI/BOOT -d grub-core ${GRUB_MODULES} \
|
||||
-p /EFI/BOOT -d grub-core \\\
|
||||
${GRUB_MODULES} \
|
||||
%{nil}
|
||||
%endif
|
||||
|
||||
%ifarch ppc64le
|
||||
%define ieee1275_mkimage() \
|
||||
APPENDED_SIG_SIZE=0 \
|
||||
if [ -x /usr/bin/rpm-sign ]; then \
|
||||
touch empty.unsigned \
|
||||
rpm-sign --key %{5} \\\
|
||||
--lkmsign empty.unsigned \\\
|
||||
--output empty.signed \
|
||||
APPENDED_SIG_SIZE="$(stat -c '%s' empty.signed)" \
|
||||
rm empty.{un,}signed \
|
||||
fi \
|
||||
# FIXME: using this prefix is fragile, must be done properly \
|
||||
./grub-mkimage -O %{1} -o %{2}.orig \\\
|
||||
-p '/grub2' -d grub-core \\\
|
||||
-x %{3} -x %{4} \\\
|
||||
--appended-signature-size ${APPENDED_SIG_SIZE} \\\
|
||||
${GRUB_MODULES} \
|
||||
if [ -x /usr/bin/rpm-sign ]; then \
|
||||
truncate -s -${APPENDED_SIG_SIZE} %{2}.orig \
|
||||
rpm-sign --key %{5} \\\
|
||||
--lkmsign %{2}.orig \\\
|
||||
--output %{2} \
|
||||
else \
|
||||
mv %{2}.orig %{2} \
|
||||
fi \
|
||||
%{nil}
|
||||
%endif
|
||||
|
||||
%define do_efi_build_images() \
|
||||
GRUB_MODULES=" all_video boot blscfg btrfs \\\
|
||||
cat configfile cryptodisk \\\
|
||||
echo efi_netfs efifwsetup efinet ext2 \\\
|
||||
fat font gcry_rijndael gcry_rsa gcry_serpent \\\
|
||||
gcry_sha256 gcry_twofish gcry_whirlpool \\\
|
||||
gfxmenu gfxterm gzio \\\
|
||||
halt hfsplus http increment iso9660 jpeg \\\
|
||||
loadenv loopback linux lvm lsefi lsefimmap luks \\\
|
||||
mdraid09 mdraid1x minicmd net \\\
|
||||
normal part_apple part_msdos part_gpt \\\
|
||||
password_pbkdf2 png reboot \\\
|
||||
regexp search search_fs_uuid search_fs_file \\\
|
||||
search_label serial sleep syslinuxcfg test tftp \\\
|
||||
video xfs" \
|
||||
GRUB_MODULES+=%{grub_modules} \
|
||||
GRUB_MODULES+=%{efi_modules} \
|
||||
GRUB_MODULES+=%{platform_modules} \
|
||||
%{expand:%%{mkimage %{1} %{2} %{3} %{4} %{5} %{6} %{7} %{8} %{9} %{10}}} \
|
||||
%{expand:%%{efi_mkimage %{1} %{2} %{3} %{4} %{5} %{6} %{7} %{8} %{9} %{10}}} \
|
||||
%{nil}
|
||||
|
||||
%define do_ieee1275_build_images() \
|
||||
GRUB_MODULES+=%{grub_modules} \
|
||||
GRUB_MODULES+=%{platform_modules} \
|
||||
cd grub-%{1}-%{tarversion} \
|
||||
%{expand:%%ieee1275_mkimage %%{1} %%{2} %%{3} %%{4} %%{5}} \
|
||||
cd .. \
|
||||
%{nil}
|
||||
|
||||
%define do_primary_efi_build() \
|
||||
@ -501,6 +554,9 @@ fi \
|
||||
if [ -f $RPM_BUILD_ROOT%{_infodir}/grub-dev.info ]; then \
|
||||
rm -f $RPM_BUILD_ROOT%{_infodir}/grub-dev.info \
|
||||
fi \
|
||||
%{expand:%ifarch ppc64le \
|
||||
install -m 700 %{grubelfname} $RPM_BUILD_ROOT/%{_libdir}/grub/%{1} \
|
||||
%endif} \
|
||||
ln -s ../boot/%{name}/grub.cfg \\\
|
||||
${RPM_BUILD_ROOT}%{_sysconfdir}/grub2.cfg \
|
||||
if [ -f $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/grub2.chrp ]; then \
|
||||
@ -542,12 +598,19 @@ touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg \
|
||||
%config(noreplace) %{_sysconfdir}/%{name}.cfg \
|
||||
%ghost %config(noreplace) /boot/%{name}/grub.cfg \
|
||||
%dir %attr(0700,root,root)/boot/loader/entries \
|
||||
%ifarch ppc64le \
|
||||
%dir %{_libdir}/grub/%{2}/ \
|
||||
%{_libdir}/grub/%{2}/%{grubelfname} \
|
||||
%endif \
|
||||
\
|
||||
%{expand:%if 0%{?with_legacy_modules} \
|
||||
%{expand:%%files %{1}-modules} \
|
||||
%defattr(-,root,root) \
|
||||
%dir %{_libdir}/grub/%{2}/ \
|
||||
%{_libdir}/grub/%{2}/* \
|
||||
%ifarch ppc64le \
|
||||
%exclude %{_libdir}/grub/%{2}/%{grubelfname} \
|
||||
%endif \
|
||||
%exclude %{_libdir}/grub/%{2}/*.module \
|
||||
%exclude %{_libdir}/grub/%{2}/{boot,boot_hybrid,cdboot,diskboot,lzma_decompress,pxeboot}.image \
|
||||
%exclude %{_libdir}/grub/%{2}/*.o \
|
||||
|
@ -478,4 +478,11 @@ Patch0477: 0477-kern-misc-Add-function-to-check-printf-format-agains.patch
|
||||
Patch0478: 0478-gfxmenu-gui-Check-printf-format-in-the-gui_progress_.patch
|
||||
Patch0479: 0479-kern-mm-Fix-grub_debug_calloc-compilation-error.patch
|
||||
Patch0480: 0480-efi-net-Fix-malformed-device-path-arithmetic-errors-.patch
|
||||
Patch0481: 0481-ieee1275-ofdisk-retry-on-open-failure.patch
|
||||
Patch0481: 0481-ieee1275-drop-HEAP_MAX_ADDR-HEAP_MIN_SIZE.patch
|
||||
Patch0482: 0482-ieee1275-claim-more-memory.patch
|
||||
Patch0483: 0483-ieee1275-request-memory-with-ibm-client-architecture.patch
|
||||
Patch0484: 0484-appendedsig-x509-Also-handle-the-Extended-Key-Usage-.patch
|
||||
Patch0485: 0485-ieee1275-ofdisk-retry-on-open-failure.patch
|
||||
Patch0486: 0486-normal-main-Discover-the-device-to-read-the-config-f.patch
|
||||
Patch0487: 0487-powerpc-adjust-setting-of-prefix-for-signed-binary-c.patch
|
||||
Patch0488: 0488-powerpc-fix-prefix-signed-grub-special-case-for-Powe.patch
|
||||
|
BIN
SOURCES/redhatsecureboot303.cer
Normal file
BIN
SOURCES/redhatsecureboot303.cer
Normal file
Binary file not shown.
BIN
SOURCES/redhatsecureboot601.cer
Normal file
BIN
SOURCES/redhatsecureboot601.cer
Normal file
Binary file not shown.
@ -7,7 +7,7 @@
|
||||
Name: grub2
|
||||
Epoch: 1
|
||||
Version: 2.02
|
||||
Release: 99%{?dist}.1
|
||||
Release: 106%{?dist}
|
||||
Summary: Bootloader with support for Linux, Multiboot and more
|
||||
Group: System Environment/Base
|
||||
License: GPLv3+
|
||||
@ -28,10 +28,27 @@ Source13: redhatsecurebootca3.cer
|
||||
Source14: redhatsecureboot301.cer
|
||||
Source15: redhatsecurebootca5.cer
|
||||
Source16: redhatsecureboot502.cer
|
||||
Source17: sbat.csv.in
|
||||
Source17: redhatsecureboot303.cer
|
||||
Source18: redhatsecureboot601.cer
|
||||
Source19: sbat.csv.in
|
||||
|
||||
%include %{SOURCE1}
|
||||
|
||||
%if 0%{with_efi_arch}
|
||||
%define old_sb_ca %{SOURCE13}
|
||||
%define old_sb_cer %{SOURCE14}
|
||||
%define old_sb_key redhatsecureboot301
|
||||
%define sb_ca %{SOURCE15}
|
||||
%define sb_cer %{SOURCE16}
|
||||
%define sb_key redhatsecureboot502
|
||||
%endif
|
||||
|
||||
%ifarch ppc64le
|
||||
%define old_sb_cer %{SOURCE17}
|
||||
%define sb_cer %{SOURCE18}
|
||||
%define sb_key redhatsecureboot602
|
||||
%endif
|
||||
|
||||
# generate with do-rebase
|
||||
%include %{SOURCE2}
|
||||
|
||||
@ -149,7 +166,7 @@ This subpackage provides tools for support of all platforms.
|
||||
mkdir grub-%{grubefiarch}-%{tarversion}
|
||||
grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grubefiarch}-%{tarversion}/.gitignore
|
||||
cp %{SOURCE4} grub-%{grubefiarch}-%{tarversion}/unifont.pcf.gz
|
||||
sed -e "s,@@VERSION@@,%{evr},g" %{SOURCE17} \
|
||||
sed -e "s,@@VERSION@@,%{evr},g" %{SOURCE19} \
|
||||
> grub-%{grubefiarch}-%{tarversion}/sbat.csv
|
||||
git add grub-%{grubefiarch}-%{tarversion}
|
||||
%endif
|
||||
@ -169,14 +186,17 @@ git commit -m "After making subdirs"
|
||||
|
||||
%build
|
||||
%if 0%{with_efi_arch}
|
||||
%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502}
|
||||
%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{old_sb_ca} %{old_sb_cer} %{old_sb_key} %{sb_ca} %{sb_cer} %{sb_key}}
|
||||
%endif
|
||||
%if 0%{with_alt_efi_arch}
|
||||
%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502}
|
||||
%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{old_sb_ca} %{old_sb_cer} %{old_sb_key} %{sb_ca} %{sb_cer} %{sb_key}}
|
||||
%endif
|
||||
%if 0%{with_legacy_arch}
|
||||
%{expand:%do_legacy_build %%{grublegacyarch}}
|
||||
%endif
|
||||
%ifarch ppc64le
|
||||
%{expand:%do_ieee1275_build_images %%{grublegacyarch} %{grubelfname} %{old_sb_cer} %{sb_cer} %{sb_key}}
|
||||
%endif
|
||||
makeinfo --info --no-split -I docs -o docs/grub-dev.info \
|
||||
docs/grub-dev.texi
|
||||
makeinfo --info --no-split -I docs -o docs/grub.info \
|
||||
@ -503,9 +523,33 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon May 17 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-99.el8_4.1
|
||||
* Thu Aug 19 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-106
|
||||
- Fix device discoverability on PowerVM when the prefix is not set (dja)
|
||||
Related: rhbz#1899864
|
||||
|
||||
* Thu Jul 22 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-105
|
||||
- Discover the device to read the config from as a fallback
|
||||
Related: rhbz#1899864
|
||||
|
||||
* Mon Jun 21 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-104
|
||||
- 20-grub-install: Create a symvers.gz symbolic link
|
||||
Resolves: rhbz#1919125
|
||||
|
||||
* Mon May 17 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-103
|
||||
- Fix boot failures in ppc64le caused by storage race condition (diegodo)
|
||||
Resolves: rhbz#1961265
|
||||
Resolves: rhbz#1942152
|
||||
|
||||
* Tue May 11 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-102
|
||||
- Build and sign powerpc-ieee1275 images
|
||||
Related: rhbz#1899864
|
||||
|
||||
* Fri Apr 23 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-101
|
||||
- Find and claim more memory for ieee1275 (dja)
|
||||
Related: rhbz#1853410
|
||||
|
||||
* Fri Apr 23 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-100
|
||||
- Sync with the latest content of the rhel-8.4.0 branch
|
||||
Resolves: rhbz#1952840
|
||||
|
||||
* Thu Feb 25 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-99
|
||||
- Fix bug of grub2-install not checking for the SBAT option
|
||||
@ -529,13 +573,10 @@ fi
|
||||
|
||||
* Tue Feb 23 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-97
|
||||
- Fix keylayouts module listed twice in GRUB_MODULES variable
|
||||
Related: rhbz#1897587
|
||||
|
||||
* Tue Feb 23 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-96
|
||||
- Fix "Add 'at_keyboard_fallback_set' var to force the set manually"
|
||||
Related: rhbz#1897587
|
||||
- Fix a boot failure due patch "ieee1275: claim up to 256MB memory"
|
||||
Resolves: rhbz#1929111
|
||||
|
||||
* Tue Jan 26 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-95
|
||||
- Add appended signatures support for ppc64le LPAR Secure Boot (daxtens)
|
||||
|
Loading…
Reference in New Issue
Block a user