import CS grub2-2.06-92.el9

This commit is contained in:
eabdullin 2024-09-30 15:39:21 +00:00
parent a1db1ec7f5
commit 46e7ed602b
12 changed files with 553 additions and 35 deletions

View File

@ -0,0 +1,77 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Marta Lewandowska <mlewando@redhat.com>
Date: Fri, 13 Oct 2023 09:13:41 +0200
Subject: [PATCH] grub-install on EFI if forced
UEFI Secure Boot requires signed grub binaries to work, so grub-
install should not be used. However, users who have Secure Boot
disabled and wish to use the command should not be prevented from
doing so if they invoke --force.
fixes bz#1917213 / bz#2240994
Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
---
util/grub-install.c | 42 ++++++++++++++++++++++++++----------------
1 file changed, 26 insertions(+), 16 deletions(-)
diff --git a/util/grub-install.c b/util/grub-install.c
index 5babc7af5518..162162bec6e2 100644
--- a/util/grub-install.c
+++ b/util/grub-install.c
@@ -899,22 +899,6 @@ main (int argc, char *argv[])
platform = grub_install_get_target (grub_install_source_directory);
- switch (platform)
- {
- case GRUB_INSTALL_PLATFORM_ARM_EFI:
- case GRUB_INSTALL_PLATFORM_ARM64_EFI:
- case GRUB_INSTALL_PLATFORM_I386_EFI:
- case GRUB_INSTALL_PLATFORM_IA64_EFI:
- case GRUB_INSTALL_PLATFORM_X86_64_EFI:
- is_efi = 1;
- grub_util_error (_("this utility cannot be used for EFI platforms"
- " because it does not support UEFI Secure Boot"));
- break;
- default:
- is_efi = 0;
- break;
- }
-
{
char *platname = grub_install_get_platform_name (platform);
fprintf (stderr, _("Installing for %s platform.\n"), platname);
@@ -1027,6 +1011,32 @@ main (int argc, char *argv[])
grub_hostfs_init ();
grub_host_init ();
+ switch (platform)
+ {
+ case GRUB_INSTALL_PLATFORM_I386_EFI:
+ case GRUB_INSTALL_PLATFORM_X86_64_EFI:
+ case GRUB_INSTALL_PLATFORM_ARM_EFI:
+ case GRUB_INSTALL_PLATFORM_ARM64_EFI:
+ case GRUB_INSTALL_PLATFORM_RISCV32_EFI:
+ case GRUB_INSTALL_PLATFORM_RISCV64_EFI:
+ case GRUB_INSTALL_PLATFORM_IA64_EFI:
+ is_efi = 1;
+ if (!force)
+ grub_util_error (_("This utility should not be used for EFI platforms"
+ " because it does not support UEFI Secure Boot."
+ " If you really wish to proceed, invoke the --force"
+ " option.\nMake sure Secure Boot is disabled before"
+ " proceeding"));
+ break;
+ default:
+ is_efi = 0;
+ break;
+
+ /* pacify warning. */
+ case GRUB_INSTALL_PLATFORM_MAX:
+ break;
+ }
+
/* Find the EFI System Partition. */
if (is_efi)
{

View File

@ -0,0 +1,182 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nicolas Frayer <nfrayer@redhat.com>
Date: Thu, 16 May 2024 10:58:32 +0200
Subject: [PATCH] cmd/search: Rework of CVE-2023-4001 fix
The initial fix implemented a new flag that forces the grub cfg
stub to be located on the same disk as grub. This created several
issues such as RAID machines not being able to boot as their
partition names under grub were different from the partition where
grub is located. It also simply means that any machines with the
/boot partition located on a disk other than the one containing grub
won't boot.
This commit denies booting if the grub cfg stub is located on a USB
drive with a duplicated UUID (UUID being the same as the partition
containing the actual grub cfg stub)
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
---
grub-core/commands/search.c | 136 +++++++++++++++++++++++++++++++++++++++++---
1 file changed, 127 insertions(+), 9 deletions(-)
diff --git a/grub-core/commands/search.c b/grub-core/commands/search.c
index 94fe8b2872a1..c052cb098c36 100644
--- a/grub-core/commands/search.c
+++ b/grub-core/commands/search.c
@@ -30,6 +30,8 @@
#include <grub/i18n.h>
#include <grub/disk.h>
#include <grub/partition.h>
+#include <grub/efi/api.h>
+#include <grub/time.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -54,6 +56,100 @@ struct search_ctx
int is_cache;
};
+static int
+is_device_usb (const char *name)
+{
+ int ret = 0;
+
+ grub_device_t dev = grub_device_open(name);
+
+ if (dev)
+ {
+ struct grub_efidisk_data
+ {
+ grub_efi_handle_t handle;
+ grub_efi_device_path_t *device_path;
+ grub_efi_device_path_t *last_device_path;
+ grub_efi_block_io_t *block_io;
+ struct grub_efidisk_data *next;
+ };
+
+ if (dev->disk && dev->disk->data)
+ {
+ struct grub_efidisk_data *dp = dev->disk->data;
+
+ if ( GRUB_EFI_DEVICE_PATH_TYPE (dp->last_device_path) == GRUB_EFI_MESSAGING_DEVICE_PATH_TYPE &&
+ GRUB_EFI_DEVICE_PATH_SUBTYPE (dp->last_device_path) == GRUB_EFI_USB_DEVICE_PATH_SUBTYPE)
+ {
+ ret = 1;
+ }
+ }
+ grub_device_close(dev);
+ }
+
+ return ret;
+}
+
+static int
+get_device_uuid(const char *name, char** quid)
+{
+ int ret = 0;
+
+ grub_device_t dev_part = grub_device_open(name);
+
+ if (dev_part)
+ {
+ grub_fs_t fs;
+
+ fs = grub_fs_probe (dev_part);
+
+#ifdef DO_SEARCH_FS_UUID
+#define read_fn fs_uuid
+#else
+#define read_fn fs_label
+#endif
+ if (fs && fs->read_fn)
+ {
+ fs->read_fn (dev_part, quid);
+
+ if (grub_errno == GRUB_ERR_NONE && *quid)
+ {
+ ret = 1;
+ }
+
+ }
+ grub_device_close (dev_part);
+ }
+
+ return ret;
+}
+struct uuid_context {
+ char* name;
+ char* uuid;
+};
+
+static int
+check_for_duplicate (const char *name, void *data)
+{
+ int ret = 0;
+ struct uuid_context * uuid_ctx = (struct uuid_context *)data;
+ char *quid = 0;
+
+ get_device_uuid(name, &quid);
+
+ if (quid == NULL)
+ return 0;
+
+ if (!grub_strcasecmp(quid, uuid_ctx->uuid) && grub_strcasecmp(name, uuid_ctx->name))
+ {
+ ret = 1;
+ }
+
+ grub_free(quid);
+
+ return ret;
+}
+
/* Helper for FUNC_NAME. */
static int
iterate_device (const char *name, void *data)
@@ -104,15 +200,37 @@ iterate_device (const char *name, void *data)
grub_str_sep (root_dev, root_disk, ',', rem_1);
grub_str_sep (name, name_disk, ',', rem_2);
if (root_disk != NULL && *root_disk != '\0' &&
- name_disk != NULL && *name_disk != '\0')
- if (grub_strcmp(root_disk, name_disk) != 0)
- {
- grub_free (root_disk);
- grub_free (name_disk);
- grub_free (rem_1);
- grub_free (rem_2);
- return 0;
- }
+ name_disk != NULL && *name_disk != '\0')
+ {
+ grub_device_t dev, dev_part;
+
+ if (is_device_usb(name) && !is_device_usb(root_dev))
+ {
+ char *quid_name = NULL;
+ int longlist = 0;
+ struct uuid_context uuid_ctx;
+ int ret = 0;
+
+ get_device_uuid(name, &quid_name);
+ if (!grub_strcmp(quid_name, ctx->key))
+ {
+ uuid_ctx.name = name;
+ uuid_ctx.uuid = quid_name;
+
+ ret = grub_device_iterate (check_for_duplicate, &uuid_ctx);
+
+ if (ret)
+ {
+ grub_printf("Duplicated media UUID found, rebooting ...\n");
+ grub_sleep(10);
+ grub_reboot();
+ }
+ }
+
+ if (quid_name) grub_free (quid_name);
+
+ }
+ }
}
grub_free (root_disk);
grub_free (name_disk);

View File

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Leo Sandoval <lsandova@redhat.com>
Date: Mon, 1 Jul 2024 12:52:13 -0600
Subject: [PATCH] grub-mkconfig.in: turn off executable owner bit
Stricker permissions are required on the grub.cfg file, resulting in
at most 0600 owner's file permissions. This resolves conflicting
requirement permissions on grub2-pc package's grub2.cfg file.
Resolves: RHEL-45870
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
---
util/grub-mkconfig.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index 34f7c13fc..f47b2735d 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -320,7 +320,7 @@ and /etc/grub.d/* files or please file a bug report with
exit 1
else
# none of the children aborted with error, install the new grub.cfg
- oldumask=$(umask); umask 077
+ oldumask=$(umask); umask 177
cat ${grub_cfg}.new > ${grub_cfg}
umask $oldumask
rm -f ${grub_cfg}.new

View File

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nicolas Frayer <nfrayer@redhat.com>
Date: Tue, 16 Jul 2024 11:11:43 +0200
Subject: [PATCH] grub2-mkconfig: Ensure grub cfg stub is not overwritten
/boot/efi/EFI/$os_name/grub.cfg contains a grub cfg stub
that should not be overwritten by grub2-mkconfig.
Ensure that we prevent this from happening.
Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
---
util/grub-mkconfig.in | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index 34f7c13fc521..34d0120d0ba2 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -114,6 +114,20 @@ do
esac
done
+os_name=$(grep '^ID=' /etc/os-release | sed 's/ID=//')
+if test "$os_name" = '"rhel"'; then
+ os_name=redhat
+elif test "$os_name" = '"centos"'; then
+ os_name=centos
+fi
+if test "x${grub_cfg}" = "x/boot/efi/EFI/$os_name/grub.cfg" &&\
+ mountpoint -q /boot/efi; then
+ gettext_printf "Running \`grub2-mkconfig -o %s' will overwrite the GRUB wrapper.\n" "$grub_cfg" 1>&2
+ gettext_printf "Please run \`grub2-mkconfig -o /boot/grub2/grub.cfg' instead to update grub.cfg.\n" 1>&2
+ gettext_printf "GRUB configuration file was not updated.\n" 1>&2
+ exit 1
+fi
+
if [ "x$EUID" = "x" ] ; then
EUID=`id -u`
fi

View File

@ -0,0 +1,25 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: raravind <raravind@redhat.com>
Date: Tue, 9 May 2023 11:29:35 +0200
Subject: [PATCH] chainloader: remove device path debug message
Remove the debug message "/EndEntire" while using GRUB chainloader command.
Signed-off-by: raravind <raravind@redhat.com>
(cherry picked from commit f75f5386b7a6a7cb2e10d30f817a3564c0a28dd7)
---
grub-core/loader/efi/chainloader.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
index dd31ac9bb318..b1c86dab2b60 100644
--- a/grub-core/loader/efi/chainloader.c
+++ b/grub-core/loader/efi/chainloader.c
@@ -210,7 +210,6 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
/* Fill the file path for the directory. */
d = (grub_efi_device_path_t *) ((char *) file_path
+ ((char *) d - (char *) dp));
- grub_efi_print_device_path (d);
if (copy_file_path ((grub_efi_file_path_device_path_t *) d,
dir_start, dir_end - dir_start) != GRUB_ERR_NONE)
{

View File

@ -0,0 +1,30 @@
From ac5b2bc87a6c361fd504898a368f0867ef3e2679 Mon Sep 17 00:00:00 2001
From: Andrew Lukoshko <alukoshko@almalinux.org>
Date: Wed, 31 Jul 2024 16:06:10 +0000
Subject: [PATCH] grub2-mkconfig: Simplify os_name detection
---
util/grub-mkconfig.in | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index 7a0738b..ebf5150 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -114,12 +114,7 @@ do
esac
done
-os_name=$(grep '^ID=' /etc/os-release | sed 's/ID=//')
-if test "$os_name" = '"rhel"'; then
- os_name=redhat
-elif test "$os_name" = '"centos"'; then
- os_name=centos
-fi
+os_name=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/' -e 's/\"//g')
if test "x${grub_cfg}" = "x/boot/efi/EFI/$os_name/grub.cfg" &&\
mountpoint -q /boot/efi; then
gettext_printf "Running \`grub2-mkconfig -o %s' will overwrite the GRUB wrapper.\n" "$grub_cfg" 1>&2
--
2.43.5

View File

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nicolas Frayer <nfrayer@redhat.com>
Date: Thu, 1 Aug 2024 11:13:20 +0200
Subject: [PATCH] grub/mkconfig: Remove check for mount point for grub cfg stub
Remove mountpoint when checking whether or not the grub cfg stub
exists and add -s to the test. This should cover scenarios where
the ESP doesn't have a seperate partition but still uses a grub
cfg stub
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
---
util/grub-mkconfig.in | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index a4972039b751..3f131eea2b12 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -115,8 +115,7 @@ do
done
os_name=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/' -e 's/\"//g')
-if test "x${grub_cfg}" = "x/boot/efi/EFI/$os_name/grub.cfg" &&\
- mountpoint -q /boot/efi; then
+if test -s "${grub_cfg}" && test "x${grub_cfg}" = "x/boot/efi/EFI/$os_name/grub.cfg"; then
gettext_printf "Running \`grub2-mkconfig -o %s' will overwrite the GRUB wrapper.\n" "$grub_cfg" 1>&2
gettext_printf "Please run \`grub2-mkconfig -o /boot/grub2/grub.cfg' instead to update grub.cfg.\n" 1>&2
gettext_printf "GRUB configuration file was not updated.\n" 1>&2

View File

@ -0,0 +1,44 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Maximilian Luz <luzmaximilian@gmail.com>
Date: Tue, 28 Jun 2022 23:06:46 +0200
Subject: [PATCH] arm64: Use proper memory type for kernel allocation
Currently, the kernel pages are allocated with type EFI_LOADER_DATA.
While the vast majority of systems will happily execute code from those
pages (i.e. don't care about memory protection), the Microsoft Surface
Pro X stalls, as this memory is not designated as "executable".
Therefore, allocate the kernel pages as EFI_LOADER_CODE to request
memory that is actually executable.
Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
---
grub-core/loader/arm64/linux.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c
index 419f2201df8b..a3a193c255e9 100644
--- a/grub-core/loader/arm64/linux.c
+++ b/grub-core/loader/arm64/linux.c
@@ -26,7 +26,9 @@
#include <grub/mm.h>
#include <grub/types.h>
#include <grub/cpu/linux.h>
+#include <grub/efi/api.h>
#include <grub/efi/efi.h>
+#include <grub/cpu/efi/memory.h>
#include <grub/efi/fdtload.h>
#include <grub/efi/memory.h>
#include <grub/efi/linux.h>
@@ -403,7 +405,10 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
grub_loader_unset();
kernel_alloc_pages = GRUB_EFI_BYTES_TO_PAGES (kernel_size + align - 1);
- kernel_alloc_addr = grub_efi_allocate_any_pages (kernel_alloc_pages);
+ kernel_alloc_addr = grub_efi_allocate_pages_real (GRUB_EFI_MAX_USABLE_ADDRESS,
+ kernel_alloc_pages,
+ GRUB_EFI_ALLOCATE_MAX_ADDRESS,
+ GRUB_EFI_LOADER_CODE);
grub_dprintf ("linux", "kernel numpages: %d\n", kernel_alloc_pages);
if (!kernel_alloc_addr)
{

View File

@ -4,34 +4,11 @@ if ! [[ $KERNEL_INSTALL_MACHINE_ID ]]; then
exit 0 exit 0
fi fi
# PV and PVH Xen DomU guests boot with pygrub that doesn't have BLS support,
# also Xen Dom0 use the menuentries from 20_linux_xen and not the ones from
# 10_linux. So BLS support needs to be disabled for both Xen Dom0 and DomU.
if [[ -e /sys/hypervisor/type ]] && grep -q "^xen$" /sys/hypervisor/type; then
RUN_MKCONFIG=true
DISABLE_BLS=true
fi
ARCH=$(uname -m) ARCH=$(uname -m)
# Older ppc64le OPAL firmware (petitboot version < 1.8.0) don't have BLS support # Older ppc64le OPAL firmware (petitboot version < 1.8.0) don't have BLS support
# so grub2-mkconfig has to be run to generate a config with menuentry commands. # so grub2-mkconfig has to be run to generate a config with menuentry commands.
if [[ $ARCH = "ppc64le" ]] && [ -d /sys/firmware/opal ]; then if [[ $ARCH = "ppc64le" ]] && [ -d /sys/firmware/opal ]; then
petitboot_path="/sys/firmware/devicetree/base/ibm,firmware-versions/petitboot"
if test -e ${petitboot_path}; then
read -r -d '' petitboot_version < ${petitboot_path}
petitboot_version="$(echo ${petitboot_version//v})"
major_version="$(echo ${petitboot_version} | cut -d . -f1)"
minor_version="$(echo ${petitboot_version} | cut -d . -f2)"
if test -z ${petitboot_version} || test ${major_version} -lt 1 || \
test ${major_version} -eq 1 -a ${minor_version} -lt 8; then
RUN_MKCONFIG=true RUN_MKCONFIG=true
fi
else
RUN_MKCONFIG=true
fi
fi fi
if [[ $DISABLE_BLS = "true" ]]; then if [[ $DISABLE_BLS = "true" ]]; then

View File

@ -589,7 +589,8 @@ install -d -m 0700 ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig \
touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub \ touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub \
ln -sf ../default/grub \\\ ln -sf ../default/grub \\\
${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub \ ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub \
touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg \ touch grub.cfg \
install -m 0600 grub.cfg ${RPM_BUILD_ROOT}/boot/%{name}/ \
ln -s ../boot/%{name}/grub.cfg \\\ ln -s ../boot/%{name}/grub.cfg \\\
${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}.cfg \ ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}.cfg \
%{nil} %{nil}
@ -598,7 +599,7 @@ ln -s ../boot/%{name}/grub.cfg \\\
%{expand:%%files %{1}} \ %{expand:%%files %{1}} \
%defattr(-,root,root,-) \ %defattr(-,root,root,-) \
%config(noreplace) %{_sysconfdir}/%{name}.cfg \ %config(noreplace) %{_sysconfdir}/%{name}.cfg \
%ghost %config(noreplace) %attr(0700,root,root)/boot/%{name}/grub.cfg \ %ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg \
%dir %attr(0700,root,root)/boot/loader/entries \ %dir %attr(0700,root,root)/boot/loader/entries \
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \ %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \
%ifarch ppc64le \ %ifarch ppc64le \
@ -633,7 +634,7 @@ ln -s ../boot/%{name}/grub.cfg \\\
%endif \ %endif \
%attr(0700,root,root)/boot/%{name}/fonts \ %attr(0700,root,root)/boot/%{name}/fonts \
%dir %attr(0700,root,root)/boot/loader/entries \ %dir %attr(0700,root,root)/boot/loader/entries \
%ghost %config(noreplace) %attr(0700,root,root)/boot/%{name}/grub.cfg \ %ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg \
%ghost %config(noreplace) %verify(not mtime) %attr(0700,root,root)%{efi_esp_dir}/grub.cfg \ %ghost %config(noreplace) %verify(not mtime) %attr(0700,root,root)%{efi_esp_dir}/grub.cfg \
%config(noreplace) %verify(not size mode md5 mtime) /boot/%{name}/grubenv \ %config(noreplace) %verify(not size mode md5 mtime) /boot/%{name}/grubenv \
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \ %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \

View File

@ -341,3 +341,11 @@ Patch0340: 0340-fs-ntfs-Make-code-more-readable.patch
Patch0341: 0341-grub_dl_set_mem_attrs-fix-format-string.patch Patch0341: 0341-grub_dl_set_mem_attrs-fix-format-string.patch
Patch0342: 0342-grub_dl_set_mem_attrs-add-self-check-for-the-tramp-G.patch Patch0342: 0342-grub_dl_set_mem_attrs-add-self-check-for-the-tramp-G.patch
Patch0343: 0343-grub_dl_load_segments-page-align-the-tramp-GOT-areas.patch Patch0343: 0343-grub_dl_load_segments-page-align-the-tramp-GOT-areas.patch
Patch0344: 0344-grub-install-on-EFI-if-forced.patch
Patch0345: 0345-cmd-search-Rework-of-CVE-2023-4001-fix.patch
Patch0346: 0346-grub-mkconfig.in-turn-off-executable-owner-bit.patch
Patch0347: 0347-grub2-mkconfig-Ensure-grub-cfg-stub-is-not-overwritt.patch
Patch0348: 0348-chainloader-remove-device-path-debug-message.patch
Patch0349: 0349-grub2-mkconfig-Simplify-os_name-detection.patch
Patch0350: 0350-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch
Patch0351: 0351-arm64-Use-proper-memory-type-for-kernel-allocation.patch

View File

@ -16,7 +16,7 @@
Name: grub2 Name: grub2
Epoch: 1 Epoch: 1
Version: 2.06 Version: 2.06
Release: 77%{?dist} Release: 92%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more Summary: Bootloader with support for Linux, Multiboot and more
License: GPLv3+ License: GPLv3+
URL: http://www.gnu.org/software/grub/ URL: http://www.gnu.org/software/grub/
@ -335,13 +335,29 @@ if ! mountpoint -q ${ESP_PATH}; then
exit 0 # no ESP mounted, nothing to do exit 0 # no ESP mounted, nothing to do
fi fi
if test ! -f ${EFI_HOME}/grub.cfg; then if test ! -f ${GRUB_HOME}/grub.cfg; then
# there's no config in ESP, create one # there's no config in GRUB home, create one
grub2-mkconfig -o ${EFI_HOME}/grub.cfg grub2-mkconfig -o ${GRUB_HOME}/grub.cfg
else
GRUB_CFG_MODE=$(stat --format="%a" ${GRUB_HOME}/grub.cfg)
if ! test "${GRUB_CFG_MODE}" = "600"; then
# when upgrading from <=2.06-90 to newer versions, the grub config stub
# may have different mode than 0600, so set the latter if this is the case
chmod 0600 ${GRUB_HOME}/grub.cfg
fi
fi fi
if grep -q "configfile" ${EFI_HOME}/grub.cfg; then # make sure grub.cfg is present before grepping it
if test -f ${EFI_HOME}/grub.cfg; then
# need to move grub.cfg to correct dir for major version upgrade
if ! grep -q "configfile" ${EFI_HOME}/grub.cfg; then
cp -a ${EFI_HOME}/grub.cfg ${GRUB_HOME}/
chmod 0600 ${GRUB_HOME}/grub.cfg
fi
if grep -q "configfile" ${EFI_HOME}/grub.cfg && grep -q "root-dev-only" ${EFI_HOME}/grub.cfg; then
exit 0 # already unified, nothing to do exit 0 # already unified, nothing to do
fi
fi fi
# create a stub grub2 config in EFI # create a stub grub2 config in EFI
@ -360,8 +376,6 @@ if test -f ${EFI_HOME}/grubenv; then
mv --force ${EFI_HOME}/grubenv ${GRUB_HOME}/grubenv mv --force ${EFI_HOME}/grubenv ${GRUB_HOME}/grubenv
fi fi
cp -a ${EFI_HOME}/grub.cfg ${EFI_HOME}/grub.cfg.rpmsave
cp -a ${EFI_HOME}/grub.cfg ${GRUB_HOME}/
mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
%files common -f grub.lang %files common -f grub.lang
@ -533,6 +547,68 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
%endif %endif
%changelog %changelog
* Tue Aug 13 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-92
- arm64/linux: Allocate memory for kernel with EFI_LOADER_CODE type
- Resolves: #RHEL-49868
* Fri Aug 2 2024 Leo Sandoval <lsandova@redhat.com> - 2.06-91
- Set /boot/grub2/grub.cfg to 0600 mode if present
- Resolves: #RHEL-45870
* Thu Aug 1 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-90
- grub2-mkconfig: Remove mountpoint check
- Related: #RHEL-32099
* Thu Aug 1 2024 Leo Sandoval <lsandova@redhat.com> - 2.06-89
- Bump release number
- Resolves: #RHEL-45870
* Wed Jul 31 2024 Leo Sandoval <lsandova@redhat.com> - 2.06-88
- grub.cfg: Fix rpm grub.cfg verification issues
- Resolves: #RHEL-45870
* Wed Jul 31 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 2.06-87
- grub2-mkconfig: Simplify os_name detection
- Resolves: #RHEL-32099
* Tue Jul 16 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-86
- chainloader: Remove unexpected "/EndEntire"
- Resolves: #RHEL-4380
* Tue Jul 16 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-85
- grub2-mkconfig: Prevent mkconfig from overwriting grub cfg stub
- Resolves: #RHEL-32099
* Thu Jul 11 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-84
- install/ppc64le: run grub2-mkconfig regardless of petitboot version
- Resolves: #RHEL-45161
* Mon Jul 1 2024 Leo Sandoval <lsandova@redhat.com> - 2.06-83
- grub-mkconfig.in: turn off executable owner bit
- Resolves: RHEL-45870
* Thu Jun 27 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-82
- mkconfig/install: Remove BLS handling for XEN
- Resolves: #RHEL-4386
* Tue Jun 25 2024 Marta Lewandowska <mlewando@redhat.com> - 2.06-81
- grub.cfg: Fix an issue when doing a major version upgrade
- Resolves: #RHEL-45008
* Tue May 28 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-80
- Added more code for the previous CVE fix
- Related: #RHEL-36249
- Related: #RHEL-36186
* Tue May 28 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-79
- cmd/search: Rework of CVE-2023-4001 fix
- Resolves: #RHEL-36249
- Resolves: #RHEL-36186
* Thu Feb 22 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-78
- util: grub-install on EFI if forced
- Resolves: #RHEL-20443
* Thu Feb 22 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-77 * Thu Feb 22 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-77
- kern/dl: grub_dl_set_mem_attrs()/grub_dl_load_segments() fixes - kern/dl: grub_dl_set_mem_attrs()/grub_dl_load_segments() fixes
- Resolves: #RHEL-26322 - Resolves: #RHEL-26322