From 46e7ed602b5789406469d7dee2fcac09da484a81 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 30 Sep 2024 15:39:21 +0000 Subject: [PATCH] import CS grub2-2.06-92.el9 --- .../0344-grub-install-on-EFI-if-forced.patch | 77 ++++++++ ...d-search-Rework-of-CVE-2023-4001-fix.patch | 182 ++++++++++++++++++ ...fig.in-turn-off-executable-owner-bit.patch | 29 +++ ...nsure-grub-cfg-stub-is-not-overwritt.patch | 40 ++++ ...der-remove-device-path-debug-message.patch | 25 +++ ...-mkconfig-Simplify-os_name-detection.patch | 30 +++ ...move-check-for-mount-point-for-grub-.patch | 29 +++ ...er-memory-type-for-kernel-allocation.patch | 44 +++++ SOURCES/99-grub-mkconfig.install | 25 +-- SOURCES/grub.macros | 7 +- SOURCES/grub.patches | 8 + SPECS/grub2.spec | 92 ++++++++- 12 files changed, 553 insertions(+), 35 deletions(-) create mode 100644 SOURCES/0344-grub-install-on-EFI-if-forced.patch create mode 100644 SOURCES/0345-cmd-search-Rework-of-CVE-2023-4001-fix.patch create mode 100644 SOURCES/0346-grub-mkconfig.in-turn-off-executable-owner-bit.patch create mode 100644 SOURCES/0347-grub2-mkconfig-Ensure-grub-cfg-stub-is-not-overwritt.patch create mode 100644 SOURCES/0348-chainloader-remove-device-path-debug-message.patch create mode 100644 SOURCES/0349-grub2-mkconfig-Simplify-os_name-detection.patch create mode 100644 SOURCES/0350-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch create mode 100644 SOURCES/0351-arm64-Use-proper-memory-type-for-kernel-allocation.patch diff --git a/SOURCES/0344-grub-install-on-EFI-if-forced.patch b/SOURCES/0344-grub-install-on-EFI-if-forced.patch new file mode 100644 index 0000000..ad231ac --- /dev/null +++ b/SOURCES/0344-grub-install-on-EFI-if-forced.patch @@ -0,0 +1,77 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Marta Lewandowska +Date: Fri, 13 Oct 2023 09:13:41 +0200 +Subject: [PATCH] grub-install on EFI if forced + +UEFI Secure Boot requires signed grub binaries to work, so grub- +install should not be used. However, users who have Secure Boot +disabled and wish to use the command should not be prevented from +doing so if they invoke --force. + +fixes bz#1917213 / bz#2240994 + +Signed-off-by: Marta Lewandowska +--- + util/grub-install.c | 42 ++++++++++++++++++++++++++---------------- + 1 file changed, 26 insertions(+), 16 deletions(-) + +diff --git a/util/grub-install.c b/util/grub-install.c +index 5babc7af5518..162162bec6e2 100644 +--- a/util/grub-install.c ++++ b/util/grub-install.c +@@ -899,22 +899,6 @@ main (int argc, char *argv[]) + + platform = grub_install_get_target (grub_install_source_directory); + +- switch (platform) +- { +- case GRUB_INSTALL_PLATFORM_ARM_EFI: +- case GRUB_INSTALL_PLATFORM_ARM64_EFI: +- case GRUB_INSTALL_PLATFORM_I386_EFI: +- case GRUB_INSTALL_PLATFORM_IA64_EFI: +- case GRUB_INSTALL_PLATFORM_X86_64_EFI: +- is_efi = 1; +- grub_util_error (_("this utility cannot be used for EFI platforms" +- " because it does not support UEFI Secure Boot")); +- break; +- default: +- is_efi = 0; +- break; +- } +- + { + char *platname = grub_install_get_platform_name (platform); + fprintf (stderr, _("Installing for %s platform.\n"), platname); +@@ -1027,6 +1011,32 @@ main (int argc, char *argv[]) + grub_hostfs_init (); + grub_host_init (); + ++ switch (platform) ++ { ++ case GRUB_INSTALL_PLATFORM_I386_EFI: ++ case GRUB_INSTALL_PLATFORM_X86_64_EFI: ++ case GRUB_INSTALL_PLATFORM_ARM_EFI: ++ case GRUB_INSTALL_PLATFORM_ARM64_EFI: ++ case GRUB_INSTALL_PLATFORM_RISCV32_EFI: ++ case GRUB_INSTALL_PLATFORM_RISCV64_EFI: ++ case GRUB_INSTALL_PLATFORM_IA64_EFI: ++ is_efi = 1; ++ if (!force) ++ grub_util_error (_("This utility should not be used for EFI platforms" ++ " because it does not support UEFI Secure Boot." ++ " If you really wish to proceed, invoke the --force" ++ " option.\nMake sure Secure Boot is disabled before" ++ " proceeding")); ++ break; ++ default: ++ is_efi = 0; ++ break; ++ ++ /* pacify warning. */ ++ case GRUB_INSTALL_PLATFORM_MAX: ++ break; ++ } ++ + /* Find the EFI System Partition. */ + if (is_efi) + { diff --git a/SOURCES/0345-cmd-search-Rework-of-CVE-2023-4001-fix.patch b/SOURCES/0345-cmd-search-Rework-of-CVE-2023-4001-fix.patch new file mode 100644 index 0000000..068bc77 --- /dev/null +++ b/SOURCES/0345-cmd-search-Rework-of-CVE-2023-4001-fix.patch @@ -0,0 +1,182 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Nicolas Frayer +Date: Thu, 16 May 2024 10:58:32 +0200 +Subject: [PATCH] cmd/search: Rework of CVE-2023-4001 fix + +The initial fix implemented a new flag that forces the grub cfg +stub to be located on the same disk as grub. This created several +issues such as RAID machines not being able to boot as their +partition names under grub were different from the partition where +grub is located. It also simply means that any machines with the +/boot partition located on a disk other than the one containing grub +won't boot. +This commit denies booting if the grub cfg stub is located on a USB +drive with a duplicated UUID (UUID being the same as the partition +containing the actual grub cfg stub) + +Signed-off-by: Nicolas Frayer +--- + grub-core/commands/search.c | 136 +++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 127 insertions(+), 9 deletions(-) + +diff --git a/grub-core/commands/search.c b/grub-core/commands/search.c +index 94fe8b2872a1..c052cb098c36 100644 +--- a/grub-core/commands/search.c ++++ b/grub-core/commands/search.c +@@ -30,6 +30,8 @@ + #include + #include + #include ++#include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -54,6 +56,100 @@ struct search_ctx + int is_cache; + }; + ++static int ++is_device_usb (const char *name) ++{ ++ int ret = 0; ++ ++ grub_device_t dev = grub_device_open(name); ++ ++ if (dev) ++ { ++ struct grub_efidisk_data ++ { ++ grub_efi_handle_t handle; ++ grub_efi_device_path_t *device_path; ++ grub_efi_device_path_t *last_device_path; ++ grub_efi_block_io_t *block_io; ++ struct grub_efidisk_data *next; ++ }; ++ ++ if (dev->disk && dev->disk->data) ++ { ++ struct grub_efidisk_data *dp = dev->disk->data; ++ ++ if ( GRUB_EFI_DEVICE_PATH_TYPE (dp->last_device_path) == GRUB_EFI_MESSAGING_DEVICE_PATH_TYPE && ++ GRUB_EFI_DEVICE_PATH_SUBTYPE (dp->last_device_path) == GRUB_EFI_USB_DEVICE_PATH_SUBTYPE) ++ { ++ ret = 1; ++ } ++ } ++ grub_device_close(dev); ++ } ++ ++ return ret; ++} ++ ++static int ++get_device_uuid(const char *name, char** quid) ++{ ++ int ret = 0; ++ ++ grub_device_t dev_part = grub_device_open(name); ++ ++ if (dev_part) ++ { ++ grub_fs_t fs; ++ ++ fs = grub_fs_probe (dev_part); ++ ++#ifdef DO_SEARCH_FS_UUID ++#define read_fn fs_uuid ++#else ++#define read_fn fs_label ++#endif ++ if (fs && fs->read_fn) ++ { ++ fs->read_fn (dev_part, quid); ++ ++ if (grub_errno == GRUB_ERR_NONE && *quid) ++ { ++ ret = 1; ++ } ++ ++ } ++ grub_device_close (dev_part); ++ } ++ ++ return ret; ++} ++struct uuid_context { ++ char* name; ++ char* uuid; ++}; ++ ++static int ++check_for_duplicate (const char *name, void *data) ++{ ++ int ret = 0; ++ struct uuid_context * uuid_ctx = (struct uuid_context *)data; ++ char *quid = 0; ++ ++ get_device_uuid(name, &quid); ++ ++ if (quid == NULL) ++ return 0; ++ ++ if (!grub_strcasecmp(quid, uuid_ctx->uuid) && grub_strcasecmp(name, uuid_ctx->name)) ++ { ++ ret = 1; ++ } ++ ++ grub_free(quid); ++ ++ return ret; ++} ++ + /* Helper for FUNC_NAME. */ + static int + iterate_device (const char *name, void *data) +@@ -104,15 +200,37 @@ iterate_device (const char *name, void *data) + grub_str_sep (root_dev, root_disk, ',', rem_1); + grub_str_sep (name, name_disk, ',', rem_2); + if (root_disk != NULL && *root_disk != '\0' && +- name_disk != NULL && *name_disk != '\0') +- if (grub_strcmp(root_disk, name_disk) != 0) +- { +- grub_free (root_disk); +- grub_free (name_disk); +- grub_free (rem_1); +- grub_free (rem_2); +- return 0; +- } ++ name_disk != NULL && *name_disk != '\0') ++ { ++ grub_device_t dev, dev_part; ++ ++ if (is_device_usb(name) && !is_device_usb(root_dev)) ++ { ++ char *quid_name = NULL; ++ int longlist = 0; ++ struct uuid_context uuid_ctx; ++ int ret = 0; ++ ++ get_device_uuid(name, &quid_name); ++ if (!grub_strcmp(quid_name, ctx->key)) ++ { ++ uuid_ctx.name = name; ++ uuid_ctx.uuid = quid_name; ++ ++ ret = grub_device_iterate (check_for_duplicate, &uuid_ctx); ++ ++ if (ret) ++ { ++ grub_printf("Duplicated media UUID found, rebooting ...\n"); ++ grub_sleep(10); ++ grub_reboot(); ++ } ++ } ++ ++ if (quid_name) grub_free (quid_name); ++ ++ } ++ } + } + grub_free (root_disk); + grub_free (name_disk); diff --git a/SOURCES/0346-grub-mkconfig.in-turn-off-executable-owner-bit.patch b/SOURCES/0346-grub-mkconfig.in-turn-off-executable-owner-bit.patch new file mode 100644 index 0000000..e5f61db --- /dev/null +++ b/SOURCES/0346-grub-mkconfig.in-turn-off-executable-owner-bit.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Leo Sandoval +Date: Mon, 1 Jul 2024 12:52:13 -0600 +Subject: [PATCH] grub-mkconfig.in: turn off executable owner bit + +Stricker permissions are required on the grub.cfg file, resulting in +at most 0600 owner's file permissions. This resolves conflicting +requirement permissions on grub2-pc package's grub2.cfg file. + +Resolves: RHEL-45870 + +Signed-off-by: Leo Sandoval +--- + util/grub-mkconfig.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in +index 34f7c13fc..f47b2735d 100644 +--- a/util/grub-mkconfig.in ++++ b/util/grub-mkconfig.in +@@ -320,7 +320,7 @@ and /etc/grub.d/* files or please file a bug report with + exit 1 + else + # none of the children aborted with error, install the new grub.cfg +- oldumask=$(umask); umask 077 ++ oldumask=$(umask); umask 177 + cat ${grub_cfg}.new > ${grub_cfg} + umask $oldumask + rm -f ${grub_cfg}.new diff --git a/SOURCES/0347-grub2-mkconfig-Ensure-grub-cfg-stub-is-not-overwritt.patch b/SOURCES/0347-grub2-mkconfig-Ensure-grub-cfg-stub-is-not-overwritt.patch new file mode 100644 index 0000000..fc76a5e --- /dev/null +++ b/SOURCES/0347-grub2-mkconfig-Ensure-grub-cfg-stub-is-not-overwritt.patch @@ -0,0 +1,40 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Nicolas Frayer +Date: Tue, 16 Jul 2024 11:11:43 +0200 +Subject: [PATCH] grub2-mkconfig: Ensure grub cfg stub is not overwritten + +/boot/efi/EFI/$os_name/grub.cfg contains a grub cfg stub +that should not be overwritten by grub2-mkconfig. +Ensure that we prevent this from happening. + +Signed-off-by: Marta Lewandowska +Signed-off-by: Nicolas Frayer +--- + util/grub-mkconfig.in | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in +index 34f7c13fc521..34d0120d0ba2 100644 +--- a/util/grub-mkconfig.in ++++ b/util/grub-mkconfig.in +@@ -114,6 +114,20 @@ do + esac + done + ++os_name=$(grep '^ID=' /etc/os-release | sed 's/ID=//') ++if test "$os_name" = '"rhel"'; then ++ os_name=redhat ++elif test "$os_name" = '"centos"'; then ++ os_name=centos ++fi ++if test "x${grub_cfg}" = "x/boot/efi/EFI/$os_name/grub.cfg" &&\ ++ mountpoint -q /boot/efi; then ++ gettext_printf "Running \`grub2-mkconfig -o %s' will overwrite the GRUB wrapper.\n" "$grub_cfg" 1>&2 ++ gettext_printf "Please run \`grub2-mkconfig -o /boot/grub2/grub.cfg' instead to update grub.cfg.\n" 1>&2 ++ gettext_printf "GRUB configuration file was not updated.\n" 1>&2 ++ exit 1 ++fi ++ + if [ "x$EUID" = "x" ] ; then + EUID=`id -u` + fi diff --git a/SOURCES/0348-chainloader-remove-device-path-debug-message.patch b/SOURCES/0348-chainloader-remove-device-path-debug-message.patch new file mode 100644 index 0000000..2029bd8 --- /dev/null +++ b/SOURCES/0348-chainloader-remove-device-path-debug-message.patch @@ -0,0 +1,25 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: raravind +Date: Tue, 9 May 2023 11:29:35 +0200 +Subject: [PATCH] chainloader: remove device path debug message + +Remove the debug message "/EndEntire" while using GRUB chainloader command. + +Signed-off-by: raravind +(cherry picked from commit f75f5386b7a6a7cb2e10d30f817a3564c0a28dd7) +--- + grub-core/loader/efi/chainloader.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c +index dd31ac9bb318..b1c86dab2b60 100644 +--- a/grub-core/loader/efi/chainloader.c ++++ b/grub-core/loader/efi/chainloader.c +@@ -210,7 +210,6 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename) + /* Fill the file path for the directory. */ + d = (grub_efi_device_path_t *) ((char *) file_path + + ((char *) d - (char *) dp)); +- grub_efi_print_device_path (d); + if (copy_file_path ((grub_efi_file_path_device_path_t *) d, + dir_start, dir_end - dir_start) != GRUB_ERR_NONE) + { diff --git a/SOURCES/0349-grub2-mkconfig-Simplify-os_name-detection.patch b/SOURCES/0349-grub2-mkconfig-Simplify-os_name-detection.patch new file mode 100644 index 0000000..3d2f9a6 --- /dev/null +++ b/SOURCES/0349-grub2-mkconfig-Simplify-os_name-detection.patch @@ -0,0 +1,30 @@ +From ac5b2bc87a6c361fd504898a368f0867ef3e2679 Mon Sep 17 00:00:00 2001 +From: Andrew Lukoshko +Date: Wed, 31 Jul 2024 16:06:10 +0000 +Subject: [PATCH] grub2-mkconfig: Simplify os_name detection + +--- + util/grub-mkconfig.in | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in +index 7a0738b..ebf5150 100644 +--- a/util/grub-mkconfig.in ++++ b/util/grub-mkconfig.in +@@ -114,12 +114,7 @@ do + esac + done + +-os_name=$(grep '^ID=' /etc/os-release | sed 's/ID=//') +-if test "$os_name" = '"rhel"'; then +- os_name=redhat +-elif test "$os_name" = '"centos"'; then +- os_name=centos +-fi ++os_name=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/' -e 's/\"//g') + if test "x${grub_cfg}" = "x/boot/efi/EFI/$os_name/grub.cfg" &&\ + mountpoint -q /boot/efi; then + gettext_printf "Running \`grub2-mkconfig -o %s' will overwrite the GRUB wrapper.\n" "$grub_cfg" 1>&2 +-- +2.43.5 + diff --git a/SOURCES/0350-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch b/SOURCES/0350-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch new file mode 100644 index 0000000..e503cef --- /dev/null +++ b/SOURCES/0350-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch @@ -0,0 +1,29 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Nicolas Frayer +Date: Thu, 1 Aug 2024 11:13:20 +0200 +Subject: [PATCH] grub/mkconfig: Remove check for mount point for grub cfg stub + +Remove mountpoint when checking whether or not the grub cfg stub +exists and add -s to the test. This should cover scenarios where +the ESP doesn't have a seperate partition but still uses a grub +cfg stub + +Signed-off-by: Nicolas Frayer +--- + util/grub-mkconfig.in | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in +index a4972039b751..3f131eea2b12 100644 +--- a/util/grub-mkconfig.in ++++ b/util/grub-mkconfig.in +@@ -115,8 +115,7 @@ do + done + + os_name=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/' -e 's/\"//g') +-if test "x${grub_cfg}" = "x/boot/efi/EFI/$os_name/grub.cfg" &&\ +- mountpoint -q /boot/efi; then ++if test -s "${grub_cfg}" && test "x${grub_cfg}" = "x/boot/efi/EFI/$os_name/grub.cfg"; then + gettext_printf "Running \`grub2-mkconfig -o %s' will overwrite the GRUB wrapper.\n" "$grub_cfg" 1>&2 + gettext_printf "Please run \`grub2-mkconfig -o /boot/grub2/grub.cfg' instead to update grub.cfg.\n" 1>&2 + gettext_printf "GRUB configuration file was not updated.\n" 1>&2 diff --git a/SOURCES/0351-arm64-Use-proper-memory-type-for-kernel-allocation.patch b/SOURCES/0351-arm64-Use-proper-memory-type-for-kernel-allocation.patch new file mode 100644 index 0000000..e77fcbf --- /dev/null +++ b/SOURCES/0351-arm64-Use-proper-memory-type-for-kernel-allocation.patch @@ -0,0 +1,44 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Maximilian Luz +Date: Tue, 28 Jun 2022 23:06:46 +0200 +Subject: [PATCH] arm64: Use proper memory type for kernel allocation + +Currently, the kernel pages are allocated with type EFI_LOADER_DATA. +While the vast majority of systems will happily execute code from those +pages (i.e. don't care about memory protection), the Microsoft Surface +Pro X stalls, as this memory is not designated as "executable". + +Therefore, allocate the kernel pages as EFI_LOADER_CODE to request +memory that is actually executable. + +Signed-off-by: Maximilian Luz +--- + grub-core/loader/arm64/linux.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c +index 419f2201df8b..a3a193c255e9 100644 +--- a/grub-core/loader/arm64/linux.c ++++ b/grub-core/loader/arm64/linux.c +@@ -26,7 +26,9 @@ + #include + #include + #include ++#include + #include ++#include + #include + #include + #include +@@ -403,7 +405,10 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + grub_loader_unset(); + + kernel_alloc_pages = GRUB_EFI_BYTES_TO_PAGES (kernel_size + align - 1); +- kernel_alloc_addr = grub_efi_allocate_any_pages (kernel_alloc_pages); ++ kernel_alloc_addr = grub_efi_allocate_pages_real (GRUB_EFI_MAX_USABLE_ADDRESS, ++ kernel_alloc_pages, ++ GRUB_EFI_ALLOCATE_MAX_ADDRESS, ++ GRUB_EFI_LOADER_CODE); + grub_dprintf ("linux", "kernel numpages: %d\n", kernel_alloc_pages); + if (!kernel_alloc_addr) + { diff --git a/SOURCES/99-grub-mkconfig.install b/SOURCES/99-grub-mkconfig.install index 2c7faad..abc44db 100755 --- a/SOURCES/99-grub-mkconfig.install +++ b/SOURCES/99-grub-mkconfig.install @@ -4,34 +4,11 @@ if ! [[ $KERNEL_INSTALL_MACHINE_ID ]]; then exit 0 fi -# PV and PVH Xen DomU guests boot with pygrub that doesn't have BLS support, -# also Xen Dom0 use the menuentries from 20_linux_xen and not the ones from -# 10_linux. So BLS support needs to be disabled for both Xen Dom0 and DomU. -if [[ -e /sys/hypervisor/type ]] && grep -q "^xen$" /sys/hypervisor/type; then - RUN_MKCONFIG=true - DISABLE_BLS=true -fi - ARCH=$(uname -m) # Older ppc64le OPAL firmware (petitboot version < 1.8.0) don't have BLS support # so grub2-mkconfig has to be run to generate a config with menuentry commands. if [[ $ARCH = "ppc64le" ]] && [ -d /sys/firmware/opal ]; then - - petitboot_path="/sys/firmware/devicetree/base/ibm,firmware-versions/petitboot" - - if test -e ${petitboot_path}; then - read -r -d '' petitboot_version < ${petitboot_path} - petitboot_version="$(echo ${petitboot_version//v})" - major_version="$(echo ${petitboot_version} | cut -d . -f1)" - minor_version="$(echo ${petitboot_version} | cut -d . -f2)" - - if test -z ${petitboot_version} || test ${major_version} -lt 1 || \ - test ${major_version} -eq 1 -a ${minor_version} -lt 8; then - RUN_MKCONFIG=true - fi - else - RUN_MKCONFIG=true - fi + RUN_MKCONFIG=true fi if [[ $DISABLE_BLS = "true" ]]; then diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros index aa6921c..966c079 100755 --- a/SOURCES/grub.macros +++ b/SOURCES/grub.macros @@ -589,7 +589,8 @@ install -d -m 0700 ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig \ touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub \ ln -sf ../default/grub \\\ ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub \ -touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg \ +touch grub.cfg \ +install -m 0600 grub.cfg ${RPM_BUILD_ROOT}/boot/%{name}/ \ ln -s ../boot/%{name}/grub.cfg \\\ ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}.cfg \ %{nil} @@ -598,7 +599,7 @@ ln -s ../boot/%{name}/grub.cfg \\\ %{expand:%%files %{1}} \ %defattr(-,root,root,-) \ %config(noreplace) %{_sysconfdir}/%{name}.cfg \ -%ghost %config(noreplace) %attr(0700,root,root)/boot/%{name}/grub.cfg \ +%ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg \ %dir %attr(0700,root,root)/boot/loader/entries \ %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \ %ifarch ppc64le \ @@ -633,7 +634,7 @@ ln -s ../boot/%{name}/grub.cfg \\\ %endif \ %attr(0700,root,root)/boot/%{name}/fonts \ %dir %attr(0700,root,root)/boot/loader/entries \ -%ghost %config(noreplace) %attr(0700,root,root)/boot/%{name}/grub.cfg \ +%ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg \ %ghost %config(noreplace) %verify(not mtime) %attr(0700,root,root)%{efi_esp_dir}/grub.cfg \ %config(noreplace) %verify(not size mode md5 mtime) /boot/%{name}/grubenv \ %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \ diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches index 7782ccd..e79df3f 100644 --- a/SOURCES/grub.patches +++ b/SOURCES/grub.patches @@ -341,3 +341,11 @@ Patch0340: 0340-fs-ntfs-Make-code-more-readable.patch Patch0341: 0341-grub_dl_set_mem_attrs-fix-format-string.patch Patch0342: 0342-grub_dl_set_mem_attrs-add-self-check-for-the-tramp-G.patch Patch0343: 0343-grub_dl_load_segments-page-align-the-tramp-GOT-areas.patch +Patch0344: 0344-grub-install-on-EFI-if-forced.patch +Patch0345: 0345-cmd-search-Rework-of-CVE-2023-4001-fix.patch +Patch0346: 0346-grub-mkconfig.in-turn-off-executable-owner-bit.patch +Patch0347: 0347-grub2-mkconfig-Ensure-grub-cfg-stub-is-not-overwritt.patch +Patch0348: 0348-chainloader-remove-device-path-debug-message.patch +Patch0349: 0349-grub2-mkconfig-Simplify-os_name-detection.patch +Patch0350: 0350-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch +Patch0351: 0351-arm64-Use-proper-memory-type-for-kernel-allocation.patch diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec index 9bf288e..db23775 100644 --- a/SPECS/grub2.spec +++ b/SPECS/grub2.spec @@ -16,7 +16,7 @@ Name: grub2 Epoch: 1 Version: 2.06 -Release: 77%{?dist} +Release: 92%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -335,13 +335,29 @@ if ! mountpoint -q ${ESP_PATH}; then exit 0 # no ESP mounted, nothing to do fi -if test ! -f ${EFI_HOME}/grub.cfg; then - # there's no config in ESP, create one - grub2-mkconfig -o ${EFI_HOME}/grub.cfg +if test ! -f ${GRUB_HOME}/grub.cfg; then + # there's no config in GRUB home, create one + grub2-mkconfig -o ${GRUB_HOME}/grub.cfg +else + GRUB_CFG_MODE=$(stat --format="%a" ${GRUB_HOME}/grub.cfg) + if ! test "${GRUB_CFG_MODE}" = "600"; then + # when upgrading from <=2.06-90 to newer versions, the grub config stub + # may have different mode than 0600, so set the latter if this is the case + chmod 0600 ${GRUB_HOME}/grub.cfg + fi fi -if grep -q "configfile" ${EFI_HOME}/grub.cfg; then - exit 0 # already unified, nothing to do +# make sure grub.cfg is present before grepping it +if test -f ${EFI_HOME}/grub.cfg; then + # need to move grub.cfg to correct dir for major version upgrade + if ! grep -q "configfile" ${EFI_HOME}/grub.cfg; then + cp -a ${EFI_HOME}/grub.cfg ${GRUB_HOME}/ + chmod 0600 ${GRUB_HOME}/grub.cfg + fi + + if grep -q "configfile" ${EFI_HOME}/grub.cfg && grep -q "root-dev-only" ${EFI_HOME}/grub.cfg; then + exit 0 # already unified, nothing to do + fi fi # create a stub grub2 config in EFI @@ -360,8 +376,6 @@ if test -f ${EFI_HOME}/grubenv; then mv --force ${EFI_HOME}/grubenv ${GRUB_HOME}/grubenv fi -cp -a ${EFI_HOME}/grub.cfg ${EFI_HOME}/grub.cfg.rpmsave -cp -a ${EFI_HOME}/grub.cfg ${GRUB_HOME}/ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg %files common -f grub.lang @@ -533,6 +547,68 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg %endif %changelog +* Tue Aug 13 2024 Nicolas Frayer - 2.06-92 +- arm64/linux: Allocate memory for kernel with EFI_LOADER_CODE type +- Resolves: #RHEL-49868 + +* Fri Aug 2 2024 Leo Sandoval - 2.06-91 +- Set /boot/grub2/grub.cfg to 0600 mode if present +- Resolves: #RHEL-45870 + +* Thu Aug 1 2024 Nicolas Frayer - 2.06-90 +- grub2-mkconfig: Remove mountpoint check +- Related: #RHEL-32099 + +* Thu Aug 1 2024 Leo Sandoval - 2.06-89 +- Bump release number +- Resolves: #RHEL-45870 + +* Wed Jul 31 2024 Leo Sandoval - 2.06-88 +- grub.cfg: Fix rpm grub.cfg verification issues +- Resolves: #RHEL-45870 + +* Wed Jul 31 2024 Andrew Lukoshko - 2.06-87 +- grub2-mkconfig: Simplify os_name detection +- Resolves: #RHEL-32099 + +* Tue Jul 16 2024 Nicolas Frayer - 2.06-86 +- chainloader: Remove unexpected "/EndEntire" +- Resolves: #RHEL-4380 + +* Tue Jul 16 2024 Nicolas Frayer - 2.06-85 +- grub2-mkconfig: Prevent mkconfig from overwriting grub cfg stub +- Resolves: #RHEL-32099 + +* Thu Jul 11 2024 Nicolas Frayer - 2.06-84 +- install/ppc64le: run grub2-mkconfig regardless of petitboot version +- Resolves: #RHEL-45161 + +* Mon Jul 1 2024 Leo Sandoval - 2.06-83 +- grub-mkconfig.in: turn off executable owner bit +- Resolves: RHEL-45870 + +* Thu Jun 27 2024 Nicolas Frayer - 2.06-82 +- mkconfig/install: Remove BLS handling for XEN +- Resolves: #RHEL-4386 + +* Tue Jun 25 2024 Marta Lewandowska - 2.06-81 +- grub.cfg: Fix an issue when doing a major version upgrade +- Resolves: #RHEL-45008 + +* Tue May 28 2024 Nicolas Frayer - 2.06-80 +- Added more code for the previous CVE fix +- Related: #RHEL-36249 +- Related: #RHEL-36186 + +* Tue May 28 2024 Nicolas Frayer - 2.06-79 +- cmd/search: Rework of CVE-2023-4001 fix +- Resolves: #RHEL-36249 +- Resolves: #RHEL-36186 + +* Thu Feb 22 2024 Nicolas Frayer - 2.06-78 +- util: grub-install on EFI if forced +- Resolves: #RHEL-20443 + * Thu Feb 22 2024 Nicolas Frayer - 2.06-77 - kern/dl: grub_dl_set_mem_attrs()/grub_dl_load_segments() fixes - Resolves: #RHEL-26322