AlmaLinux changes

This commit is contained in:
Andrew Lukoshko 2021-09-15 09:21:47 +00:00
parent c6f0640526
commit 33d2c41b51
8 changed files with 32 additions and 15 deletions

BIN
SOURCES/clsecureboot001.cer Normal file

Binary file not shown.

View File

@ -272,6 +272,7 @@ Requires: %{name}-common = %{evr} \
Requires: %{name}-tools-minimal >= %{evr} \ Requires: %{name}-tools-minimal >= %{evr} \
Requires: %{name}-tools-extra = %{evr} \ Requires: %{name}-tools-extra = %{evr} \
Requires: %{name}-tools = %{evr} \ Requires: %{name}-tools = %{evr} \
Requires: %{efi_esp_dir}/shim%%(echo %{1} | cut -d- -f2).efi \
Provides: %{name}-efi = %{evr} \ Provides: %{name}-efi = %{evr} \
%{?legacy_provides:Provides: %{name} = %{evr}} \ %{?legacy_provides:Provides: %{name} = %{evr}} \
%{-o:Obsoletes: %{name}-efi < %{evr}} \ %{-o:Obsoletes: %{name}-efi < %{evr}} \
@ -372,12 +373,10 @@ done \
-p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES} \\\ -p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES} \\\
--sbat %{4}./sbat.csv \ --sbat %{4}./sbat.csv \
%{4}./grub-mkimage -O %{1} -o %{3}.orig \\\ %{4}./grub-mkimage -O %{1} -o %{3}.orig \\\
-p /EFI/BOOT -d grub-core ${GRUB_MODULES} \\\ -p /EFI/BOOT -d grub-core ${GRUB_MODULES} \\\
--sbat %{4}./sbat.csv \ --sbat %{4}./sbat.csv \
%{expand:%%{pesign -s -i %%{2}.orig -o %%{2}.one -a %%{5} -c %%{6} -n %%{7}}} \ %{expand:%%{pesign -s -i %%{2}.orig -o %%{2} -a %%{5} -c %%{6} -n %%{7}}} \
%{expand:%%{pesign -s -i %%{3}.orig -o %%{3}.one -a %%{5} -c %%{6} -n %%{7}}} \ %{expand:%%{pesign -s -i %%{3}.orig -o %%{3} -a %%{5} -c %%{6} -n %%{7}}} \
%{expand:%%{pesign -s -i %%{2}.one -o %%{2} -a %%{8} -c %%{9} -n %%{10}}} \
%{expand:%%{pesign -s -i %%{3}.one -o %%{3} -a %%{8} -c %%{9} -n %%{10}}} \
%{nil} %{nil}
%else %else
%define mkimage() \ %define mkimage() \
@ -487,7 +486,7 @@ install -D -m 700 unicode.pf2 \\\
$RPM_BUILD_ROOT%{efi_esp_dir}/fonts/unicode.pf2 \ $RPM_BUILD_ROOT%{efi_esp_dir}/fonts/unicode.pf2 \
${RPM_BUILD_ROOT}/%{_bindir}/%{name}-editenv \\\ ${RPM_BUILD_ROOT}/%{_bindir}/%{name}-editenv \\\
${RPM_BUILD_ROOT}%{efi_esp_dir}/grubenv create \ ${RPM_BUILD_ROOT}%{efi_esp_dir}/grubenv create \
ln -sf ../efi/EFI/%{efi_vendor}/grubenv \\\ ln -sf ../efi/EFI/%{efidir}/grubenv \\\
$RPM_BUILD_ROOT/boot/grub2/grubenv \ $RPM_BUILD_ROOT/boot/grub2/grubenv \
cd .. \ cd .. \
%{nil} %{nil}

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -1,3 +1,3 @@
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,1,Free Software Foundation,grub,2.02,https://www.gnu.org/software/grub/ grub,1,Free Software Foundation,grub,2.02,https://www.gnu.org/software/grub/
grub.rhel8,1,Red Hat Enterprise Linux 8,grub2,@@VERSION@@,mail:secalert@redhat.com grub.almalinux8,1,AlmaLinux 8,grub2,@@VERSION@@,mail:security@almalinux.org

View File

@ -1,3 +1,7 @@
%global efi_vendor almalinux
%global efidir almalinux
%global efi_esp_dir /boot/efi/EFI/%{efidir}
%undefine _hardened_build %undefine _hardened_build
%global tarversion 2.02 %global tarversion 2.02
@ -7,7 +11,7 @@
Name: grub2 Name: grub2
Epoch: 1 Epoch: 1
Version: 2.02 Version: 2.02
Release: 99%{?dist} Release: 99%{?dist}.alma
Summary: Bootloader with support for Linux, Multiboot and more Summary: Bootloader with support for Linux, Multiboot and more
Group: System Environment/Base Group: System Environment/Base
License: GPLv3+ License: GPLv3+
@ -24,10 +28,7 @@ Source6: gitignore
Source8: strtoull_test.c Source8: strtoull_test.c
Source9: 20-grub.install Source9: 20-grub.install
Source12: 99-grub-mkconfig.install Source12: 99-grub-mkconfig.install
Source13: redhatsecurebootca3.cer Source13: clsecureboot001.cer
Source14: redhatsecureboot301.cer
Source15: redhatsecurebootca5.cer
Source16: redhatsecureboot502.cer
Source17: sbat.csv.in Source17: sbat.csv.in
%include %{SOURCE1} %include %{SOURCE1}
@ -169,10 +170,10 @@ git commit -m "After making subdirs"
%build %build
%if 0%{with_efi_arch} %if 0%{with_efi_arch}
%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502} %{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} alnsecureboot001}
%endif %endif
%if 0%{with_alt_efi_arch} %if 0%{with_alt_efi_arch}
%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502} %{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} alnsecureboot001}
%endif %endif
%if 0%{with_legacy_arch} %if 0%{with_legacy_arch}
%{expand:%do_legacy_build %%{grublegacyarch}} %{expand:%do_legacy_build %%{grublegacyarch}}
@ -333,6 +334,20 @@ if [ "$1" = 0 ]; then
/sbin/install-info --delete --info-dir=%{_infodir} %{_infodir}/%{name}-dev.info.gz || : /sbin/install-info --delete --info-dir=%{_infodir} %{_infodir}/%{name}-dev.info.gz || :
fi fi
%if 0%{with_efi_arch}
%posttrans efi-x64
if [ -d /sys/firmware/efi ] && [ ! -f %{efi_esp_dir}/grub.cfg ]; then
grub2-mkconfig -o %{efi_esp_dir}/grub.cfg || :
fi
%endif
%if 0%{with_alt_efi_arch}
%posttrans efi-ia32
if [ -d /sys/firmware/efi ] && [ ! -f %{efi_esp_dir}/grub.cfg ]; then
grub2-mkconfig -o %{efi_esp_dir}/grub.cfg || :
fi
%endif
%files common -f grub.lang %files common -f grub.lang
%dir %{_libdir}/grub/ %dir %{_libdir}/grub/
%dir %{_datarootdir}/grub/ %dir %{_datarootdir}/grub/
@ -503,6 +518,9 @@ fi
%endif %endif
%changelog %changelog
* Fri Apr 09 2021 Andrew Lukoshko <alukoshko@almalinux.org> - 2.02-99.alma
- Debrand for AlmaLinux
* Thu Feb 25 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-99 * Thu Feb 25 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-99
- Fix bug of grub2-install not checking for the SBAT option - Fix bug of grub2-install not checking for the SBAT option
Resolves: CVE-2020-14372 Resolves: CVE-2020-14372