import CS grub2-2.06-92.el9
This commit is contained in:
parent
a1db1ec7f5
commit
46e7ed602b
77
SOURCES/0344-grub-install-on-EFI-if-forced.patch
Normal file
77
SOURCES/0344-grub-install-on-EFI-if-forced.patch
Normal file
@ -0,0 +1,77 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Marta Lewandowska <mlewando@redhat.com>
|
||||||
|
Date: Fri, 13 Oct 2023 09:13:41 +0200
|
||||||
|
Subject: [PATCH] grub-install on EFI if forced
|
||||||
|
|
||||||
|
UEFI Secure Boot requires signed grub binaries to work, so grub-
|
||||||
|
install should not be used. However, users who have Secure Boot
|
||||||
|
disabled and wish to use the command should not be prevented from
|
||||||
|
doing so if they invoke --force.
|
||||||
|
|
||||||
|
fixes bz#1917213 / bz#2240994
|
||||||
|
|
||||||
|
Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
|
||||||
|
---
|
||||||
|
util/grub-install.c | 42 ++++++++++++++++++++++++++----------------
|
||||||
|
1 file changed, 26 insertions(+), 16 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/util/grub-install.c b/util/grub-install.c
|
||||||
|
index 5babc7af5518..162162bec6e2 100644
|
||||||
|
--- a/util/grub-install.c
|
||||||
|
+++ b/util/grub-install.c
|
||||||
|
@@ -899,22 +899,6 @@ main (int argc, char *argv[])
|
||||||
|
|
||||||
|
platform = grub_install_get_target (grub_install_source_directory);
|
||||||
|
|
||||||
|
- switch (platform)
|
||||||
|
- {
|
||||||
|
- case GRUB_INSTALL_PLATFORM_ARM_EFI:
|
||||||
|
- case GRUB_INSTALL_PLATFORM_ARM64_EFI:
|
||||||
|
- case GRUB_INSTALL_PLATFORM_I386_EFI:
|
||||||
|
- case GRUB_INSTALL_PLATFORM_IA64_EFI:
|
||||||
|
- case GRUB_INSTALL_PLATFORM_X86_64_EFI:
|
||||||
|
- is_efi = 1;
|
||||||
|
- grub_util_error (_("this utility cannot be used for EFI platforms"
|
||||||
|
- " because it does not support UEFI Secure Boot"));
|
||||||
|
- break;
|
||||||
|
- default:
|
||||||
|
- is_efi = 0;
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
{
|
||||||
|
char *platname = grub_install_get_platform_name (platform);
|
||||||
|
fprintf (stderr, _("Installing for %s platform.\n"), platname);
|
||||||
|
@@ -1027,6 +1011,32 @@ main (int argc, char *argv[])
|
||||||
|
grub_hostfs_init ();
|
||||||
|
grub_host_init ();
|
||||||
|
|
||||||
|
+ switch (platform)
|
||||||
|
+ {
|
||||||
|
+ case GRUB_INSTALL_PLATFORM_I386_EFI:
|
||||||
|
+ case GRUB_INSTALL_PLATFORM_X86_64_EFI:
|
||||||
|
+ case GRUB_INSTALL_PLATFORM_ARM_EFI:
|
||||||
|
+ case GRUB_INSTALL_PLATFORM_ARM64_EFI:
|
||||||
|
+ case GRUB_INSTALL_PLATFORM_RISCV32_EFI:
|
||||||
|
+ case GRUB_INSTALL_PLATFORM_RISCV64_EFI:
|
||||||
|
+ case GRUB_INSTALL_PLATFORM_IA64_EFI:
|
||||||
|
+ is_efi = 1;
|
||||||
|
+ if (!force)
|
||||||
|
+ grub_util_error (_("This utility should not be used for EFI platforms"
|
||||||
|
+ " because it does not support UEFI Secure Boot."
|
||||||
|
+ " If you really wish to proceed, invoke the --force"
|
||||||
|
+ " option.\nMake sure Secure Boot is disabled before"
|
||||||
|
+ " proceeding"));
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ is_efi = 0;
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
+ /* pacify warning. */
|
||||||
|
+ case GRUB_INSTALL_PLATFORM_MAX:
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* Find the EFI System Partition. */
|
||||||
|
if (is_efi)
|
||||||
|
{
|
182
SOURCES/0345-cmd-search-Rework-of-CVE-2023-4001-fix.patch
Normal file
182
SOURCES/0345-cmd-search-Rework-of-CVE-2023-4001-fix.patch
Normal file
@ -0,0 +1,182 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nicolas Frayer <nfrayer@redhat.com>
|
||||||
|
Date: Thu, 16 May 2024 10:58:32 +0200
|
||||||
|
Subject: [PATCH] cmd/search: Rework of CVE-2023-4001 fix
|
||||||
|
|
||||||
|
The initial fix implemented a new flag that forces the grub cfg
|
||||||
|
stub to be located on the same disk as grub. This created several
|
||||||
|
issues such as RAID machines not being able to boot as their
|
||||||
|
partition names under grub were different from the partition where
|
||||||
|
grub is located. It also simply means that any machines with the
|
||||||
|
/boot partition located on a disk other than the one containing grub
|
||||||
|
won't boot.
|
||||||
|
This commit denies booting if the grub cfg stub is located on a USB
|
||||||
|
drive with a duplicated UUID (UUID being the same as the partition
|
||||||
|
containing the actual grub cfg stub)
|
||||||
|
|
||||||
|
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
|
||||||
|
---
|
||||||
|
grub-core/commands/search.c | 136 +++++++++++++++++++++++++++++++++++++++++---
|
||||||
|
1 file changed, 127 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/commands/search.c b/grub-core/commands/search.c
|
||||||
|
index 94fe8b2872a1..c052cb098c36 100644
|
||||||
|
--- a/grub-core/commands/search.c
|
||||||
|
+++ b/grub-core/commands/search.c
|
||||||
|
@@ -30,6 +30,8 @@
|
||||||
|
#include <grub/i18n.h>
|
||||||
|
#include <grub/disk.h>
|
||||||
|
#include <grub/partition.h>
|
||||||
|
+#include <grub/efi/api.h>
|
||||||
|
+#include <grub/time.h>
|
||||||
|
|
||||||
|
GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
|
||||||
|
@@ -54,6 +56,100 @@ struct search_ctx
|
||||||
|
int is_cache;
|
||||||
|
};
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+is_device_usb (const char *name)
|
||||||
|
+{
|
||||||
|
+ int ret = 0;
|
||||||
|
+
|
||||||
|
+ grub_device_t dev = grub_device_open(name);
|
||||||
|
+
|
||||||
|
+ if (dev)
|
||||||
|
+ {
|
||||||
|
+ struct grub_efidisk_data
|
||||||
|
+ {
|
||||||
|
+ grub_efi_handle_t handle;
|
||||||
|
+ grub_efi_device_path_t *device_path;
|
||||||
|
+ grub_efi_device_path_t *last_device_path;
|
||||||
|
+ grub_efi_block_io_t *block_io;
|
||||||
|
+ struct grub_efidisk_data *next;
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
+ if (dev->disk && dev->disk->data)
|
||||||
|
+ {
|
||||||
|
+ struct grub_efidisk_data *dp = dev->disk->data;
|
||||||
|
+
|
||||||
|
+ if ( GRUB_EFI_DEVICE_PATH_TYPE (dp->last_device_path) == GRUB_EFI_MESSAGING_DEVICE_PATH_TYPE &&
|
||||||
|
+ GRUB_EFI_DEVICE_PATH_SUBTYPE (dp->last_device_path) == GRUB_EFI_USB_DEVICE_PATH_SUBTYPE)
|
||||||
|
+ {
|
||||||
|
+ ret = 1;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ grub_device_close(dev);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+get_device_uuid(const char *name, char** quid)
|
||||||
|
+{
|
||||||
|
+ int ret = 0;
|
||||||
|
+
|
||||||
|
+ grub_device_t dev_part = grub_device_open(name);
|
||||||
|
+
|
||||||
|
+ if (dev_part)
|
||||||
|
+ {
|
||||||
|
+ grub_fs_t fs;
|
||||||
|
+
|
||||||
|
+ fs = grub_fs_probe (dev_part);
|
||||||
|
+
|
||||||
|
+#ifdef DO_SEARCH_FS_UUID
|
||||||
|
+#define read_fn fs_uuid
|
||||||
|
+#else
|
||||||
|
+#define read_fn fs_label
|
||||||
|
+#endif
|
||||||
|
+ if (fs && fs->read_fn)
|
||||||
|
+ {
|
||||||
|
+ fs->read_fn (dev_part, quid);
|
||||||
|
+
|
||||||
|
+ if (grub_errno == GRUB_ERR_NONE && *quid)
|
||||||
|
+ {
|
||||||
|
+ ret = 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ }
|
||||||
|
+ grub_device_close (dev_part);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+struct uuid_context {
|
||||||
|
+ char* name;
|
||||||
|
+ char* uuid;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+check_for_duplicate (const char *name, void *data)
|
||||||
|
+{
|
||||||
|
+ int ret = 0;
|
||||||
|
+ struct uuid_context * uuid_ctx = (struct uuid_context *)data;
|
||||||
|
+ char *quid = 0;
|
||||||
|
+
|
||||||
|
+ get_device_uuid(name, &quid);
|
||||||
|
+
|
||||||
|
+ if (quid == NULL)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ if (!grub_strcasecmp(quid, uuid_ctx->uuid) && grub_strcasecmp(name, uuid_ctx->name))
|
||||||
|
+ {
|
||||||
|
+ ret = 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ grub_free(quid);
|
||||||
|
+
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* Helper for FUNC_NAME. */
|
||||||
|
static int
|
||||||
|
iterate_device (const char *name, void *data)
|
||||||
|
@@ -104,15 +200,37 @@ iterate_device (const char *name, void *data)
|
||||||
|
grub_str_sep (root_dev, root_disk, ',', rem_1);
|
||||||
|
grub_str_sep (name, name_disk, ',', rem_2);
|
||||||
|
if (root_disk != NULL && *root_disk != '\0' &&
|
||||||
|
- name_disk != NULL && *name_disk != '\0')
|
||||||
|
- if (grub_strcmp(root_disk, name_disk) != 0)
|
||||||
|
- {
|
||||||
|
- grub_free (root_disk);
|
||||||
|
- grub_free (name_disk);
|
||||||
|
- grub_free (rem_1);
|
||||||
|
- grub_free (rem_2);
|
||||||
|
- return 0;
|
||||||
|
- }
|
||||||
|
+ name_disk != NULL && *name_disk != '\0')
|
||||||
|
+ {
|
||||||
|
+ grub_device_t dev, dev_part;
|
||||||
|
+
|
||||||
|
+ if (is_device_usb(name) && !is_device_usb(root_dev))
|
||||||
|
+ {
|
||||||
|
+ char *quid_name = NULL;
|
||||||
|
+ int longlist = 0;
|
||||||
|
+ struct uuid_context uuid_ctx;
|
||||||
|
+ int ret = 0;
|
||||||
|
+
|
||||||
|
+ get_device_uuid(name, &quid_name);
|
||||||
|
+ if (!grub_strcmp(quid_name, ctx->key))
|
||||||
|
+ {
|
||||||
|
+ uuid_ctx.name = name;
|
||||||
|
+ uuid_ctx.uuid = quid_name;
|
||||||
|
+
|
||||||
|
+ ret = grub_device_iterate (check_for_duplicate, &uuid_ctx);
|
||||||
|
+
|
||||||
|
+ if (ret)
|
||||||
|
+ {
|
||||||
|
+ grub_printf("Duplicated media UUID found, rebooting ...\n");
|
||||||
|
+ grub_sleep(10);
|
||||||
|
+ grub_reboot();
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (quid_name) grub_free (quid_name);
|
||||||
|
+
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
grub_free (root_disk);
|
||||||
|
grub_free (name_disk);
|
@ -0,0 +1,29 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Leo Sandoval <lsandova@redhat.com>
|
||||||
|
Date: Mon, 1 Jul 2024 12:52:13 -0600
|
||||||
|
Subject: [PATCH] grub-mkconfig.in: turn off executable owner bit
|
||||||
|
|
||||||
|
Stricker permissions are required on the grub.cfg file, resulting in
|
||||||
|
at most 0600 owner's file permissions. This resolves conflicting
|
||||||
|
requirement permissions on grub2-pc package's grub2.cfg file.
|
||||||
|
|
||||||
|
Resolves: RHEL-45870
|
||||||
|
|
||||||
|
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
|
||||||
|
---
|
||||||
|
util/grub-mkconfig.in | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
|
||||||
|
index 34f7c13fc..f47b2735d 100644
|
||||||
|
--- a/util/grub-mkconfig.in
|
||||||
|
+++ b/util/grub-mkconfig.in
|
||||||
|
@@ -320,7 +320,7 @@ and /etc/grub.d/* files or please file a bug report with
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
# none of the children aborted with error, install the new grub.cfg
|
||||||
|
- oldumask=$(umask); umask 077
|
||||||
|
+ oldumask=$(umask); umask 177
|
||||||
|
cat ${grub_cfg}.new > ${grub_cfg}
|
||||||
|
umask $oldumask
|
||||||
|
rm -f ${grub_cfg}.new
|
@ -0,0 +1,40 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nicolas Frayer <nfrayer@redhat.com>
|
||||||
|
Date: Tue, 16 Jul 2024 11:11:43 +0200
|
||||||
|
Subject: [PATCH] grub2-mkconfig: Ensure grub cfg stub is not overwritten
|
||||||
|
|
||||||
|
/boot/efi/EFI/$os_name/grub.cfg contains a grub cfg stub
|
||||||
|
that should not be overwritten by grub2-mkconfig.
|
||||||
|
Ensure that we prevent this from happening.
|
||||||
|
|
||||||
|
Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
|
||||||
|
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
|
||||||
|
---
|
||||||
|
util/grub-mkconfig.in | 14 ++++++++++++++
|
||||||
|
1 file changed, 14 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
|
||||||
|
index 34f7c13fc521..34d0120d0ba2 100644
|
||||||
|
--- a/util/grub-mkconfig.in
|
||||||
|
+++ b/util/grub-mkconfig.in
|
||||||
|
@@ -114,6 +114,20 @@ do
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
+os_name=$(grep '^ID=' /etc/os-release | sed 's/ID=//')
|
||||||
|
+if test "$os_name" = '"rhel"'; then
|
||||||
|
+ os_name=redhat
|
||||||
|
+elif test "$os_name" = '"centos"'; then
|
||||||
|
+ os_name=centos
|
||||||
|
+fi
|
||||||
|
+if test "x${grub_cfg}" = "x/boot/efi/EFI/$os_name/grub.cfg" &&\
|
||||||
|
+ mountpoint -q /boot/efi; then
|
||||||
|
+ gettext_printf "Running \`grub2-mkconfig -o %s' will overwrite the GRUB wrapper.\n" "$grub_cfg" 1>&2
|
||||||
|
+ gettext_printf "Please run \`grub2-mkconfig -o /boot/grub2/grub.cfg' instead to update grub.cfg.\n" 1>&2
|
||||||
|
+ gettext_printf "GRUB configuration file was not updated.\n" 1>&2
|
||||||
|
+ exit 1
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
if [ "x$EUID" = "x" ] ; then
|
||||||
|
EUID=`id -u`
|
||||||
|
fi
|
@ -0,0 +1,25 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: raravind <raravind@redhat.com>
|
||||||
|
Date: Tue, 9 May 2023 11:29:35 +0200
|
||||||
|
Subject: [PATCH] chainloader: remove device path debug message
|
||||||
|
|
||||||
|
Remove the debug message "/EndEntire" while using GRUB chainloader command.
|
||||||
|
|
||||||
|
Signed-off-by: raravind <raravind@redhat.com>
|
||||||
|
(cherry picked from commit f75f5386b7a6a7cb2e10d30f817a3564c0a28dd7)
|
||||||
|
---
|
||||||
|
grub-core/loader/efi/chainloader.c | 1 -
|
||||||
|
1 file changed, 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
|
||||||
|
index dd31ac9bb318..b1c86dab2b60 100644
|
||||||
|
--- a/grub-core/loader/efi/chainloader.c
|
||||||
|
+++ b/grub-core/loader/efi/chainloader.c
|
||||||
|
@@ -210,7 +210,6 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
|
||||||
|
/* Fill the file path for the directory. */
|
||||||
|
d = (grub_efi_device_path_t *) ((char *) file_path
|
||||||
|
+ ((char *) d - (char *) dp));
|
||||||
|
- grub_efi_print_device_path (d);
|
||||||
|
if (copy_file_path ((grub_efi_file_path_device_path_t *) d,
|
||||||
|
dir_start, dir_end - dir_start) != GRUB_ERR_NONE)
|
||||||
|
{
|
30
SOURCES/0349-grub2-mkconfig-Simplify-os_name-detection.patch
Normal file
30
SOURCES/0349-grub2-mkconfig-Simplify-os_name-detection.patch
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
From ac5b2bc87a6c361fd504898a368f0867ef3e2679 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andrew Lukoshko <alukoshko@almalinux.org>
|
||||||
|
Date: Wed, 31 Jul 2024 16:06:10 +0000
|
||||||
|
Subject: [PATCH] grub2-mkconfig: Simplify os_name detection
|
||||||
|
|
||||||
|
---
|
||||||
|
util/grub-mkconfig.in | 7 +------
|
||||||
|
1 file changed, 1 insertion(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
|
||||||
|
index 7a0738b..ebf5150 100644
|
||||||
|
--- a/util/grub-mkconfig.in
|
||||||
|
+++ b/util/grub-mkconfig.in
|
||||||
|
@@ -114,12 +114,7 @@ do
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
-os_name=$(grep '^ID=' /etc/os-release | sed 's/ID=//')
|
||||||
|
-if test "$os_name" = '"rhel"'; then
|
||||||
|
- os_name=redhat
|
||||||
|
-elif test "$os_name" = '"centos"'; then
|
||||||
|
- os_name=centos
|
||||||
|
-fi
|
||||||
|
+os_name=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/' -e 's/\"//g')
|
||||||
|
if test "x${grub_cfg}" = "x/boot/efi/EFI/$os_name/grub.cfg" &&\
|
||||||
|
mountpoint -q /boot/efi; then
|
||||||
|
gettext_printf "Running \`grub2-mkconfig -o %s' will overwrite the GRUB wrapper.\n" "$grub_cfg" 1>&2
|
||||||
|
--
|
||||||
|
2.43.5
|
||||||
|
|
@ -0,0 +1,29 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nicolas Frayer <nfrayer@redhat.com>
|
||||||
|
Date: Thu, 1 Aug 2024 11:13:20 +0200
|
||||||
|
Subject: [PATCH] grub/mkconfig: Remove check for mount point for grub cfg stub
|
||||||
|
|
||||||
|
Remove mountpoint when checking whether or not the grub cfg stub
|
||||||
|
exists and add -s to the test. This should cover scenarios where
|
||||||
|
the ESP doesn't have a seperate partition but still uses a grub
|
||||||
|
cfg stub
|
||||||
|
|
||||||
|
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
|
||||||
|
---
|
||||||
|
util/grub-mkconfig.in | 3 +--
|
||||||
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
|
||||||
|
index a4972039b751..3f131eea2b12 100644
|
||||||
|
--- a/util/grub-mkconfig.in
|
||||||
|
+++ b/util/grub-mkconfig.in
|
||||||
|
@@ -115,8 +115,7 @@ do
|
||||||
|
done
|
||||||
|
|
||||||
|
os_name=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/' -e 's/\"//g')
|
||||||
|
-if test "x${grub_cfg}" = "x/boot/efi/EFI/$os_name/grub.cfg" &&\
|
||||||
|
- mountpoint -q /boot/efi; then
|
||||||
|
+if test -s "${grub_cfg}" && test "x${grub_cfg}" = "x/boot/efi/EFI/$os_name/grub.cfg"; then
|
||||||
|
gettext_printf "Running \`grub2-mkconfig -o %s' will overwrite the GRUB wrapper.\n" "$grub_cfg" 1>&2
|
||||||
|
gettext_printf "Please run \`grub2-mkconfig -o /boot/grub2/grub.cfg' instead to update grub.cfg.\n" 1>&2
|
||||||
|
gettext_printf "GRUB configuration file was not updated.\n" 1>&2
|
@ -0,0 +1,44 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Maximilian Luz <luzmaximilian@gmail.com>
|
||||||
|
Date: Tue, 28 Jun 2022 23:06:46 +0200
|
||||||
|
Subject: [PATCH] arm64: Use proper memory type for kernel allocation
|
||||||
|
|
||||||
|
Currently, the kernel pages are allocated with type EFI_LOADER_DATA.
|
||||||
|
While the vast majority of systems will happily execute code from those
|
||||||
|
pages (i.e. don't care about memory protection), the Microsoft Surface
|
||||||
|
Pro X stalls, as this memory is not designated as "executable".
|
||||||
|
|
||||||
|
Therefore, allocate the kernel pages as EFI_LOADER_CODE to request
|
||||||
|
memory that is actually executable.
|
||||||
|
|
||||||
|
Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
|
||||||
|
---
|
||||||
|
grub-core/loader/arm64/linux.c | 7 ++++++-
|
||||||
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c
|
||||||
|
index 419f2201df8b..a3a193c255e9 100644
|
||||||
|
--- a/grub-core/loader/arm64/linux.c
|
||||||
|
+++ b/grub-core/loader/arm64/linux.c
|
||||||
|
@@ -26,7 +26,9 @@
|
||||||
|
#include <grub/mm.h>
|
||||||
|
#include <grub/types.h>
|
||||||
|
#include <grub/cpu/linux.h>
|
||||||
|
+#include <grub/efi/api.h>
|
||||||
|
#include <grub/efi/efi.h>
|
||||||
|
+#include <grub/cpu/efi/memory.h>
|
||||||
|
#include <grub/efi/fdtload.h>
|
||||||
|
#include <grub/efi/memory.h>
|
||||||
|
#include <grub/efi/linux.h>
|
||||||
|
@@ -403,7 +405,10 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
grub_loader_unset();
|
||||||
|
|
||||||
|
kernel_alloc_pages = GRUB_EFI_BYTES_TO_PAGES (kernel_size + align - 1);
|
||||||
|
- kernel_alloc_addr = grub_efi_allocate_any_pages (kernel_alloc_pages);
|
||||||
|
+ kernel_alloc_addr = grub_efi_allocate_pages_real (GRUB_EFI_MAX_USABLE_ADDRESS,
|
||||||
|
+ kernel_alloc_pages,
|
||||||
|
+ GRUB_EFI_ALLOCATE_MAX_ADDRESS,
|
||||||
|
+ GRUB_EFI_LOADER_CODE);
|
||||||
|
grub_dprintf ("linux", "kernel numpages: %d\n", kernel_alloc_pages);
|
||||||
|
if (!kernel_alloc_addr)
|
||||||
|
{
|
@ -4,34 +4,11 @@ if ! [[ $KERNEL_INSTALL_MACHINE_ID ]]; then
|
|||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# PV and PVH Xen DomU guests boot with pygrub that doesn't have BLS support,
|
|
||||||
# also Xen Dom0 use the menuentries from 20_linux_xen and not the ones from
|
|
||||||
# 10_linux. So BLS support needs to be disabled for both Xen Dom0 and DomU.
|
|
||||||
if [[ -e /sys/hypervisor/type ]] && grep -q "^xen$" /sys/hypervisor/type; then
|
|
||||||
RUN_MKCONFIG=true
|
|
||||||
DISABLE_BLS=true
|
|
||||||
fi
|
|
||||||
|
|
||||||
ARCH=$(uname -m)
|
ARCH=$(uname -m)
|
||||||
# Older ppc64le OPAL firmware (petitboot version < 1.8.0) don't have BLS support
|
# Older ppc64le OPAL firmware (petitboot version < 1.8.0) don't have BLS support
|
||||||
# so grub2-mkconfig has to be run to generate a config with menuentry commands.
|
# so grub2-mkconfig has to be run to generate a config with menuentry commands.
|
||||||
if [[ $ARCH = "ppc64le" ]] && [ -d /sys/firmware/opal ]; then
|
if [[ $ARCH = "ppc64le" ]] && [ -d /sys/firmware/opal ]; then
|
||||||
|
|
||||||
petitboot_path="/sys/firmware/devicetree/base/ibm,firmware-versions/petitboot"
|
|
||||||
|
|
||||||
if test -e ${petitboot_path}; then
|
|
||||||
read -r -d '' petitboot_version < ${petitboot_path}
|
|
||||||
petitboot_version="$(echo ${petitboot_version//v})"
|
|
||||||
major_version="$(echo ${petitboot_version} | cut -d . -f1)"
|
|
||||||
minor_version="$(echo ${petitboot_version} | cut -d . -f2)"
|
|
||||||
|
|
||||||
if test -z ${petitboot_version} || test ${major_version} -lt 1 || \
|
|
||||||
test ${major_version} -eq 1 -a ${minor_version} -lt 8; then
|
|
||||||
RUN_MKCONFIG=true
|
RUN_MKCONFIG=true
|
||||||
fi
|
|
||||||
else
|
|
||||||
RUN_MKCONFIG=true
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ $DISABLE_BLS = "true" ]]; then
|
if [[ $DISABLE_BLS = "true" ]]; then
|
||||||
|
@ -589,7 +589,8 @@ install -d -m 0700 ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig \
|
|||||||
touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub \
|
touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub \
|
||||||
ln -sf ../default/grub \\\
|
ln -sf ../default/grub \\\
|
||||||
${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub \
|
${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub \
|
||||||
touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg \
|
touch grub.cfg \
|
||||||
|
install -m 0600 grub.cfg ${RPM_BUILD_ROOT}/boot/%{name}/ \
|
||||||
ln -s ../boot/%{name}/grub.cfg \\\
|
ln -s ../boot/%{name}/grub.cfg \\\
|
||||||
${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}.cfg \
|
${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}.cfg \
|
||||||
%{nil}
|
%{nil}
|
||||||
@ -598,7 +599,7 @@ ln -s ../boot/%{name}/grub.cfg \\\
|
|||||||
%{expand:%%files %{1}} \
|
%{expand:%%files %{1}} \
|
||||||
%defattr(-,root,root,-) \
|
%defattr(-,root,root,-) \
|
||||||
%config(noreplace) %{_sysconfdir}/%{name}.cfg \
|
%config(noreplace) %{_sysconfdir}/%{name}.cfg \
|
||||||
%ghost %config(noreplace) %attr(0700,root,root)/boot/%{name}/grub.cfg \
|
%ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg \
|
||||||
%dir %attr(0700,root,root)/boot/loader/entries \
|
%dir %attr(0700,root,root)/boot/loader/entries \
|
||||||
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \
|
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \
|
||||||
%ifarch ppc64le \
|
%ifarch ppc64le \
|
||||||
@ -633,7 +634,7 @@ ln -s ../boot/%{name}/grub.cfg \\\
|
|||||||
%endif \
|
%endif \
|
||||||
%attr(0700,root,root)/boot/%{name}/fonts \
|
%attr(0700,root,root)/boot/%{name}/fonts \
|
||||||
%dir %attr(0700,root,root)/boot/loader/entries \
|
%dir %attr(0700,root,root)/boot/loader/entries \
|
||||||
%ghost %config(noreplace) %attr(0700,root,root)/boot/%{name}/grub.cfg \
|
%ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg \
|
||||||
%ghost %config(noreplace) %verify(not mtime) %attr(0700,root,root)%{efi_esp_dir}/grub.cfg \
|
%ghost %config(noreplace) %verify(not mtime) %attr(0700,root,root)%{efi_esp_dir}/grub.cfg \
|
||||||
%config(noreplace) %verify(not size mode md5 mtime) /boot/%{name}/grubenv \
|
%config(noreplace) %verify(not size mode md5 mtime) /boot/%{name}/grubenv \
|
||||||
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \
|
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \
|
||||||
|
@ -341,3 +341,11 @@ Patch0340: 0340-fs-ntfs-Make-code-more-readable.patch
|
|||||||
Patch0341: 0341-grub_dl_set_mem_attrs-fix-format-string.patch
|
Patch0341: 0341-grub_dl_set_mem_attrs-fix-format-string.patch
|
||||||
Patch0342: 0342-grub_dl_set_mem_attrs-add-self-check-for-the-tramp-G.patch
|
Patch0342: 0342-grub_dl_set_mem_attrs-add-self-check-for-the-tramp-G.patch
|
||||||
Patch0343: 0343-grub_dl_load_segments-page-align-the-tramp-GOT-areas.patch
|
Patch0343: 0343-grub_dl_load_segments-page-align-the-tramp-GOT-areas.patch
|
||||||
|
Patch0344: 0344-grub-install-on-EFI-if-forced.patch
|
||||||
|
Patch0345: 0345-cmd-search-Rework-of-CVE-2023-4001-fix.patch
|
||||||
|
Patch0346: 0346-grub-mkconfig.in-turn-off-executable-owner-bit.patch
|
||||||
|
Patch0347: 0347-grub2-mkconfig-Ensure-grub-cfg-stub-is-not-overwritt.patch
|
||||||
|
Patch0348: 0348-chainloader-remove-device-path-debug-message.patch
|
||||||
|
Patch0349: 0349-grub2-mkconfig-Simplify-os_name-detection.patch
|
||||||
|
Patch0350: 0350-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch
|
||||||
|
Patch0351: 0351-arm64-Use-proper-memory-type-for-kernel-allocation.patch
|
||||||
|
@ -16,7 +16,7 @@
|
|||||||
Name: grub2
|
Name: grub2
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 2.06
|
Version: 2.06
|
||||||
Release: 77%{?dist}
|
Release: 92%{?dist}
|
||||||
Summary: Bootloader with support for Linux, Multiboot and more
|
Summary: Bootloader with support for Linux, Multiboot and more
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
URL: http://www.gnu.org/software/grub/
|
URL: http://www.gnu.org/software/grub/
|
||||||
@ -335,13 +335,29 @@ if ! mountpoint -q ${ESP_PATH}; then
|
|||||||
exit 0 # no ESP mounted, nothing to do
|
exit 0 # no ESP mounted, nothing to do
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if test ! -f ${EFI_HOME}/grub.cfg; then
|
if test ! -f ${GRUB_HOME}/grub.cfg; then
|
||||||
# there's no config in ESP, create one
|
# there's no config in GRUB home, create one
|
||||||
grub2-mkconfig -o ${EFI_HOME}/grub.cfg
|
grub2-mkconfig -o ${GRUB_HOME}/grub.cfg
|
||||||
|
else
|
||||||
|
GRUB_CFG_MODE=$(stat --format="%a" ${GRUB_HOME}/grub.cfg)
|
||||||
|
if ! test "${GRUB_CFG_MODE}" = "600"; then
|
||||||
|
# when upgrading from <=2.06-90 to newer versions, the grub config stub
|
||||||
|
# may have different mode than 0600, so set the latter if this is the case
|
||||||
|
chmod 0600 ${GRUB_HOME}/grub.cfg
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if grep -q "configfile" ${EFI_HOME}/grub.cfg; then
|
# make sure grub.cfg is present before grepping it
|
||||||
|
if test -f ${EFI_HOME}/grub.cfg; then
|
||||||
|
# need to move grub.cfg to correct dir for major version upgrade
|
||||||
|
if ! grep -q "configfile" ${EFI_HOME}/grub.cfg; then
|
||||||
|
cp -a ${EFI_HOME}/grub.cfg ${GRUB_HOME}/
|
||||||
|
chmod 0600 ${GRUB_HOME}/grub.cfg
|
||||||
|
fi
|
||||||
|
|
||||||
|
if grep -q "configfile" ${EFI_HOME}/grub.cfg && grep -q "root-dev-only" ${EFI_HOME}/grub.cfg; then
|
||||||
exit 0 # already unified, nothing to do
|
exit 0 # already unified, nothing to do
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# create a stub grub2 config in EFI
|
# create a stub grub2 config in EFI
|
||||||
@ -360,8 +376,6 @@ if test -f ${EFI_HOME}/grubenv; then
|
|||||||
mv --force ${EFI_HOME}/grubenv ${GRUB_HOME}/grubenv
|
mv --force ${EFI_HOME}/grubenv ${GRUB_HOME}/grubenv
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cp -a ${EFI_HOME}/grub.cfg ${EFI_HOME}/grub.cfg.rpmsave
|
|
||||||
cp -a ${EFI_HOME}/grub.cfg ${GRUB_HOME}/
|
|
||||||
mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
|
mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
|
||||||
|
|
||||||
%files common -f grub.lang
|
%files common -f grub.lang
|
||||||
@ -533,6 +547,68 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Aug 13 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-92
|
||||||
|
- arm64/linux: Allocate memory for kernel with EFI_LOADER_CODE type
|
||||||
|
- Resolves: #RHEL-49868
|
||||||
|
|
||||||
|
* Fri Aug 2 2024 Leo Sandoval <lsandova@redhat.com> - 2.06-91
|
||||||
|
- Set /boot/grub2/grub.cfg to 0600 mode if present
|
||||||
|
- Resolves: #RHEL-45870
|
||||||
|
|
||||||
|
* Thu Aug 1 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-90
|
||||||
|
- grub2-mkconfig: Remove mountpoint check
|
||||||
|
- Related: #RHEL-32099
|
||||||
|
|
||||||
|
* Thu Aug 1 2024 Leo Sandoval <lsandova@redhat.com> - 2.06-89
|
||||||
|
- Bump release number
|
||||||
|
- Resolves: #RHEL-45870
|
||||||
|
|
||||||
|
* Wed Jul 31 2024 Leo Sandoval <lsandova@redhat.com> - 2.06-88
|
||||||
|
- grub.cfg: Fix rpm grub.cfg verification issues
|
||||||
|
- Resolves: #RHEL-45870
|
||||||
|
|
||||||
|
* Wed Jul 31 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 2.06-87
|
||||||
|
- grub2-mkconfig: Simplify os_name detection
|
||||||
|
- Resolves: #RHEL-32099
|
||||||
|
|
||||||
|
* Tue Jul 16 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-86
|
||||||
|
- chainloader: Remove unexpected "/EndEntire"
|
||||||
|
- Resolves: #RHEL-4380
|
||||||
|
|
||||||
|
* Tue Jul 16 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-85
|
||||||
|
- grub2-mkconfig: Prevent mkconfig from overwriting grub cfg stub
|
||||||
|
- Resolves: #RHEL-32099
|
||||||
|
|
||||||
|
* Thu Jul 11 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-84
|
||||||
|
- install/ppc64le: run grub2-mkconfig regardless of petitboot version
|
||||||
|
- Resolves: #RHEL-45161
|
||||||
|
|
||||||
|
* Mon Jul 1 2024 Leo Sandoval <lsandova@redhat.com> - 2.06-83
|
||||||
|
- grub-mkconfig.in: turn off executable owner bit
|
||||||
|
- Resolves: RHEL-45870
|
||||||
|
|
||||||
|
* Thu Jun 27 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-82
|
||||||
|
- mkconfig/install: Remove BLS handling for XEN
|
||||||
|
- Resolves: #RHEL-4386
|
||||||
|
|
||||||
|
* Tue Jun 25 2024 Marta Lewandowska <mlewando@redhat.com> - 2.06-81
|
||||||
|
- grub.cfg: Fix an issue when doing a major version upgrade
|
||||||
|
- Resolves: #RHEL-45008
|
||||||
|
|
||||||
|
* Tue May 28 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-80
|
||||||
|
- Added more code for the previous CVE fix
|
||||||
|
- Related: #RHEL-36249
|
||||||
|
- Related: #RHEL-36186
|
||||||
|
|
||||||
|
* Tue May 28 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-79
|
||||||
|
- cmd/search: Rework of CVE-2023-4001 fix
|
||||||
|
- Resolves: #RHEL-36249
|
||||||
|
- Resolves: #RHEL-36186
|
||||||
|
|
||||||
|
* Thu Feb 22 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-78
|
||||||
|
- util: grub-install on EFI if forced
|
||||||
|
- Resolves: #RHEL-20443
|
||||||
|
|
||||||
* Thu Feb 22 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-77
|
* Thu Feb 22 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-77
|
||||||
- kern/dl: grub_dl_set_mem_attrs()/grub_dl_load_segments() fixes
|
- kern/dl: grub_dl_set_mem_attrs()/grub_dl_load_segments() fixes
|
||||||
- Resolves: #RHEL-26322
|
- Resolves: #RHEL-26322
|
||||||
|
Loading…
Reference in New Issue
Block a user