diff --git a/SOURCES/clsecureboot001.cer b/SOURCES/clsecureboot001.cer new file mode 100644 index 0000000..ca9ce5d Binary files /dev/null and b/SOURCES/clsecureboot001.cer differ diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros index 98ad11a..ab1172b 100644 --- a/SOURCES/grub.macros +++ b/SOURCES/grub.macros @@ -272,6 +272,7 @@ Requires: %{name}-common = %{evr} \ Requires: %{name}-tools-minimal >= %{evr} \ Requires: %{name}-tools-extra = %{evr} \ Requires: %{name}-tools = %{evr} \ +Requires: %{efi_esp_dir}/shim%%(echo %{1} | cut -d- -f2).efi \ Provides: %{name}-efi = %{evr} \ %{?legacy_provides:Provides: %{name} = %{evr}} \ %{-o:Obsoletes: %{name}-efi < %{evr}} \ @@ -372,12 +373,10 @@ done \ -p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES} \\\ --sbat %{4}./sbat.csv \ %{4}./grub-mkimage -O %{1} -o %{3}.orig \\\ - -p /EFI/BOOT -d grub-core ${GRUB_MODULES} \\\ - --sbat %{4}./sbat.csv \ -%{expand:%%{pesign -s -i %%{2}.orig -o %%{2}.one -a %%{5} -c %%{6} -n %%{7}}} \ -%{expand:%%{pesign -s -i %%{3}.orig -o %%{3}.one -a %%{5} -c %%{6} -n %%{7}}} \ -%{expand:%%{pesign -s -i %%{2}.one -o %%{2} -a %%{8} -c %%{9} -n %%{10}}} \ -%{expand:%%{pesign -s -i %%{3}.one -o %%{3} -a %%{8} -c %%{9} -n %%{10}}} \ + -p /EFI/BOOT -d grub-core ${GRUB_MODULES} \\\ + --sbat %{4}./sbat.csv \ +%{expand:%%{pesign -s -i %%{2}.orig -o %%{2} -a %%{5} -c %%{6} -n %%{7}}} \ +%{expand:%%{pesign -s -i %%{3}.orig -o %%{3} -a %%{5} -c %%{6} -n %%{7}}} \ %{nil} %else %define mkimage() \ @@ -487,7 +486,7 @@ install -D -m 700 unicode.pf2 \\\ $RPM_BUILD_ROOT%{efi_esp_dir}/fonts/unicode.pf2 \ ${RPM_BUILD_ROOT}/%{_bindir}/%{name}-editenv \\\ ${RPM_BUILD_ROOT}%{efi_esp_dir}/grubenv create \ -ln -sf ../efi/EFI/%{efi_vendor}/grubenv \\\ +ln -sf ../efi/EFI/%{efidir}/grubenv \\\ $RPM_BUILD_ROOT/boot/grub2/grubenv \ cd .. \ %{nil} diff --git a/SOURCES/redhatsecureboot301.cer b/SOURCES/redhatsecureboot301.cer deleted file mode 100644 index 4ff8b79..0000000 Binary files a/SOURCES/redhatsecureboot301.cer and /dev/null differ diff --git a/SOURCES/redhatsecureboot502.cer b/SOURCES/redhatsecureboot502.cer deleted file mode 100644 index be0b5e2..0000000 Binary files a/SOURCES/redhatsecureboot502.cer and /dev/null differ diff --git a/SOURCES/redhatsecurebootca3.cer b/SOURCES/redhatsecurebootca3.cer deleted file mode 100644 index b235400..0000000 Binary files a/SOURCES/redhatsecurebootca3.cer and /dev/null differ diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer deleted file mode 100644 index dfb0284..0000000 Binary files a/SOURCES/redhatsecurebootca5.cer and /dev/null differ diff --git a/SOURCES/sbat.csv.in b/SOURCES/sbat.csv.in index 24545c0..7ed44d7 100755 --- a/SOURCES/sbat.csv.in +++ b/SOURCES/sbat.csv.in @@ -1,3 +1,3 @@ sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md grub,1,Free Software Foundation,grub,2.02,https://www.gnu.org/software/grub/ -grub.rhel8,1,Red Hat Enterprise Linux 8,grub2,@@VERSION@@,mail:secalert@redhat.com \ No newline at end of file +grub.almalinux8,1,AlmaLinux 8,grub2,@@VERSION@@,mail:security@almalinux.org \ No newline at end of file diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec index 86208d2..bc3565d 100644 --- a/SPECS/grub2.spec +++ b/SPECS/grub2.spec @@ -1,3 +1,7 @@ +%global efi_vendor almalinux +%global efidir almalinux +%global efi_esp_dir /boot/efi/EFI/%{efidir} + %undefine _hardened_build %global tarversion 2.02 @@ -7,7 +11,7 @@ Name: grub2 Epoch: 1 Version: 2.02 -Release: 99%{?dist} +Release: 99%{?dist}.alma Summary: Bootloader with support for Linux, Multiboot and more Group: System Environment/Base License: GPLv3+ @@ -24,10 +28,7 @@ Source6: gitignore Source8: strtoull_test.c Source9: 20-grub.install Source12: 99-grub-mkconfig.install -Source13: redhatsecurebootca3.cer -Source14: redhatsecureboot301.cer -Source15: redhatsecurebootca5.cer -Source16: redhatsecureboot502.cer +Source13: clsecureboot001.cer Source17: sbat.csv.in %include %{SOURCE1} @@ -169,10 +170,10 @@ git commit -m "After making subdirs" %build %if 0%{with_efi_arch} -%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502} +%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} alnsecureboot001} %endif %if 0%{with_alt_efi_arch} -%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502} +%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} alnsecureboot001} %endif %if 0%{with_legacy_arch} %{expand:%do_legacy_build %%{grublegacyarch}} @@ -333,6 +334,20 @@ if [ "$1" = 0 ]; then /sbin/install-info --delete --info-dir=%{_infodir} %{_infodir}/%{name}-dev.info.gz || : fi +%if 0%{with_efi_arch} +%posttrans efi-x64 +if [ -d /sys/firmware/efi ] && [ ! -f %{efi_esp_dir}/grub.cfg ]; then + grub2-mkconfig -o %{efi_esp_dir}/grub.cfg || : +fi +%endif + +%if 0%{with_alt_efi_arch} +%posttrans efi-ia32 +if [ -d /sys/firmware/efi ] && [ ! -f %{efi_esp_dir}/grub.cfg ]; then + grub2-mkconfig -o %{efi_esp_dir}/grub.cfg || : +fi +%endif + %files common -f grub.lang %dir %{_libdir}/grub/ %dir %{_datarootdir}/grub/ @@ -503,6 +518,9 @@ fi %endif %changelog +* Fri Apr 09 2021 Andrew Lukoshko - 2.02-99.alma +- Debrand for AlmaLinux + * Thu Feb 25 2021 Javier Martinez Canillas - 2.02-99 - Fix bug of grub2-install not checking for the SBAT option Resolves: CVE-2020-14372