import grub2-2.06-13.el9

2021-12-07 14:25:16 -05:00 · 2021-12-07 14:25:16 -05:00 · 754cdd53a6
parent 86074b0448
commit 754cdd53a6
11 changed files with 181 additions and 34 deletions
--- a/SOURCES/0179-Add-suport-for-signing-grub-with-an-appended-signatu.patch
+++ b/SOURCES/0179-Add-suport-for-signing-grub-with-an-appended-signatu.patch
@ -44,12 +44,12 @@ I will be proposing this for inclusion in a future Power Architecture
 Platform Reference (PAPR).
 ---
 util/grub-install-common.c  | 18 ++++++++++++++++--
- util/grub-mkimage.c         | 16 ++++++++++++++--
+ util/grub-mkimage.c         | 15 +++++++++++++--
 util/grub-mkimagexx.c       | 39 ++++++++++++++++++++++++++++++++++++++-
 util/mkimage.c              | 13 +++++++------
 include/grub/util/install.h |  8 ++++++--
 include/grub/util/mkimage.h |  4 ++--
- 6 files changed, 83 insertions(+), 15 deletions(-)
+ 6 files changed, 82 insertions(+), 15 deletions(-)

 diff --git a/util/grub-install-common.c b/util/grub-install-common.c
 index 4e212e690c5..aab2a941f85 100644
@ -106,14 +106,14 @@ index 4e212e690c5..aab2a941f85 100644
   while (dc--)
     grub_install_pop_module ();
 diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c
-index c0d55993702..26d1ecbf74e 100644
+index c0d55993702..8a53310548b 100644
 --- a/util/grub-mkimage.c
 +++ b/util/grub-mkimage.c
@@ -84,6 +84,7 @@ static struct argp_option options[] = {
   {"sbat", 's', N_("FILE"), 0, N_("SBAT metadata"), 0},
   {"disable-shim-lock", GRUB_INSTALL_OPTIONS_DISABLE_SHIM_LOCK, 0, 0, N_("disable shim_lock verifier"), 0},
   {"verbose",     'v', 0,      0, N_("print verbose messages."), 0},
-+  {"appended-signature-size", 's', N_("SIZE"), 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), 0},
+  {"appended-signature-size", 'S', N_("SIZE"), 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), 0},
   { 0, 0, 0, 0, 0, 0 }
 };
 
@ -147,14 +147,13 @@ index c0d55993702..26d1ecbf74e 100644
     case 'm':
       if (arguments->memdisk)
 	free (arguments->memdisk);
-@@ -324,8 +334,10 @@ main (int argc, char *argv[])
+@@ -324,8 +334,9 @@ main (int argc, char *argv[])
 			       arguments.memdisk, arguments.pubkeys,
 			       arguments.npubkeys, arguments.config,
 			       arguments.image_target, arguments.note,
 -			       arguments.comp, arguments.dtb,
 -			       arguments.sbat, arguments.disable_shim_lock);
-+
-+			       arguments.comp, arguments.appsig_size,
+			       arguments.appsig_size, arguments.comp,
 +			       arguments.dtb, arguments.sbat,
 +			       arguments.disable_shim_lock);
 
--- a/SOURCES/0191-grub-install-support-embedding-x509-certificates.patch
+++ b/SOURCES/0191-grub-install-support-embedding-x509-certificates.patch
@ -94,7 +94,7 @@ index aab2a941f85..422f82362c7 100644
 			       disable_shim_lock);
   while (dc--)
 diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c
-index 26d1ecbf74e..c5cdda498eb 100644
+index 8a53310548b..e1f1112784a 100644
 --- a/util/grub-mkimage.c
 +++ b/util/grub-mkimage.c
@@ -75,7 +75,8 @@ static struct argp_option options[] = {
@ -138,8 +138,8 @@ index 26d1ecbf74e..c5cdda498eb 100644
 +			       arguments.npubkeys, arguments.x509keys,
 +			       arguments.nx509keys, arguments.config,
 			       arguments.image_target, arguments.note,
- 
- 			       arguments.comp, arguments.appsig_size,
+ 			       arguments.appsig_size, arguments.comp,
+ 			       arguments.dtb, arguments.sbat,
 diff --git a/util/mkimage.c b/util/mkimage.c
 index bab12276010..8319e8dfbde 100644
 --- a/util/mkimage.c
--- a/SOURCES/0222-Print-module-name-on-license-check-failure.patch
+++ b/SOURCES/0222-Print-module-name-on-license-check-failure.patch
@ -0,0 +1,48 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Tue, 12 Oct 2021 12:34:23 -0400
+Subject: [PATCH] Print module name on license check failure
+
+At the very least, this will make it easier to track down the problem
+module - or, if something else has gone wrong, provide more information
+for debugging.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ grub-core/kern/dl.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
+index 9557254035e..f3044945742 100644
+--- a/grub-core/kern/dl.c
+++ b/grub-core/kern/dl.c
+@@ -528,14 +528,16 @@ grub_dl_find_section_index (Elf_Ehdr *e, const char *name)
+    Be sure to understand your license obligations.
+ */
+ static grub_err_t
+-grub_dl_check_license (Elf_Ehdr *e)
+grub_dl_check_license (grub_dl_t mod, Elf_Ehdr *e)
+ {
+   Elf_Shdr *s = grub_dl_find_section (e, ".module_license");
+   if (s && (grub_strcmp ((char *) e + s->sh_offset, "LICENSE=GPLv3") == 0
+ 	    || grub_strcmp ((char *) e + s->sh_offset, "LICENSE=GPLv3+") == 0
+ 	    || grub_strcmp ((char *) e + s->sh_offset, "LICENSE=GPLv2+") == 0))
+     return GRUB_ERR_NONE;
+-  return grub_error (GRUB_ERR_BAD_MODULE, "incompatible license");
+  return grub_error (GRUB_ERR_BAD_MODULE,
+		     "incompatible license in module %s: %s", mod->name,
+		     (char *) e + s->sh_offset);
+ }
+ 
+ static grub_err_t
+@@ -743,8 +745,8 @@ grub_dl_load_core_noinit (void *addr, grub_size_t size)
+      constitutes linking) and GRUB core being licensed under GPLv3+.
+      Be sure to understand your license obligations.
+   */
+-  if (grub_dl_check_license (e)
+-      || grub_dl_resolve_name (mod, e)
+  if (grub_dl_resolve_name (mod, e)
+      || grub_dl_check_license (mod, e)
+       || grub_dl_resolve_dependencies (mod, e)
+       || grub_dl_load_segments (mod, e)
+       || grub_dl_resolve_symbols (mod, e)
--- a/SOURCES/0223-powerpc-ieee1275-load-grub-at-4MB-not-2MB.patch
+++ b/SOURCES/0223-powerpc-ieee1275-load-grub-at-4MB-not-2MB.patch
@ -0,0 +1,106 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 22 Oct 2021 09:53:15 +1100
+Subject: [PATCH] powerpc-ieee1275: load grub at 4MB, not 2MB
+
+This was first reported under PFW but reproduces under SLOF.
+
+ - The core.elf was 2126152 = 0x207148 bytes in size with the following
+   program headers (per readelf):
+
+Entry point 0x200000
+There are 4 program headers, starting at offset 52
+
+Program Headers:
+  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
+  LOAD           0x000160 0x00200000 0x00200000 0x21f98 0x2971c RWE 0x8
+  GNU_STACK      0x0220f8 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
+  LOAD           0x0220f8 0x00232000 0x00232000 0x1e4e50 0x1e4e50 RWE 0x4
+  NOTE           0x206f48 0x00000000 0x00000000 0x00200 0x00000 R   0x4
+
+ - SLOF places the ELF file at 0x4000 (after the reserved space for
+   interrupt handlers etc.) upwards. The image was 2126152 = 0x207148
+   bytes in size, so it runs from 0x4000 - 0x20b148. We'll call 0x4000 the
+   load address.
+
+0x0        0x4000         0x20b148
+ |----------|--------------|
+ | reserved | ELF contents |
+
+ - SLOF then copies the first LOAD program header (for .text). That runs
+   for 0x21f98 bytes. It runs from
+      (load addr + 0x160) to (load addr + 0x160 + 0x21f98)
+    = 0x4160 to 0x260f8
+   and we copy it to 0x200000 to 0x221f98. This overwrites the end of the
+   image:
+
+0x0       0x4000     0x200000        0x221f98
+ |----------|------------|---------------|
+ | reserved | ELF cont.. | .text section |
+
+ - SLOF zeros the bss up to PhysAddr + MemSize = 0x22971c
+
+0x0       0x4000      0x200000       0x221f98 0x22971c
+ |----------|------------|---------------|--------|
+ | reserved | ELF cont.. | .text section | bss 0s |
+
+ - SLOF then goes to fulfil the next LOAD header (for mods), which is
+   for 0x1e4e50 bytes. We copy from
+      (load addr + 0x220f8) to (load addr + 0x220f8 + 0x1e4e50)
+    = 0x260f8 to 0x20af48
+   and we copy it to 0x232000 to 0x416e50:
+
+0x0       0x4000      0x200000       0x221f98 0x22971c
+ |----------|------------|---------------|--------|
+ | reserved | ELF cont.. | .text section | bss 0s |
+               |-------------|
+               | copied area |
+            0x260f8      0x20af48
+
+   This goes poorly:
+
+0x0       0x4000      0x200000       0x221f98 0x22971c 0x232000 0x40bf08      0x416e50
+ |----------|------------|---------------|--------|-----|-----------|-------------|
+ | reserved | ELF cont.. | .text section | bss 0s | pad | some mods | .text start |
+
+This matches the observations on the running system - 0x40bf08 was where
+the contents of memory no longer matched the contents of the ELF file.
+
+This was reported as a license verification failure on SLOF as the
+last module's .module_license section fell past where the corruption
+began.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+[rharwood@redhat.com: trim very detailed commit message]
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ grub-core/Makefile.core.def | 2 +-
+ include/grub/offsets.h      | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index 3f3459b2c70..6b00eb55575 100644
+--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
+@@ -89,7 +89,7 @@ kernel = {
+   i386_xen_pvh_ldflags     = '$(TARGET_IMG_BASE_LDOPT),0x100000';
+ 
+   mips_loongson_ldflags    = '-Wl,-Ttext,0x80200000';
+-  powerpc_ieee1275_ldflags = '-Wl,-Ttext,0x200000';
+  powerpc_ieee1275_ldflags = '-Wl,-Ttext,0x400000';
+   sparc64_ieee1275_ldflags = '-Wl,-Ttext,0x4400';
+   mips_arc_ldflags    = '-Wl,-Ttext,$(TARGET_LINK_ADDR)';
+   mips_qemu_mips_ldflags    = '-Wl,-Ttext,0x80200000';
+diff --git a/include/grub/offsets.h b/include/grub/offsets.h
+index 871e1cd4c38..69211aa798b 100644
+--- a/include/grub/offsets.h
+++ b/include/grub/offsets.h
+@@ -63,7 +63,7 @@
+ #define GRUB_KERNEL_SPARC64_IEEE1275_LINK_ADDR 0x4400
+ 
+ #define GRUB_KERNEL_POWERPC_IEEE1275_LINK_ALIGN 4
+-#define GRUB_KERNEL_POWERPC_IEEE1275_LINK_ADDR 0x200000
+#define GRUB_KERNEL_POWERPC_IEEE1275_LINK_ADDR 0x400000
+ 
+ #define GRUB_KERNEL_MIPS_LOONGSON_LINK_ADDR         0x80200000
+ 
--- a/SOURCES/grub.macros
+++ b/SOURCES/grub.macros
@ -391,8 +391,8 @@ rm -f %{1}.conf							\
 %{expand:%%{pesign -s -i %%{2}.orig -o %%{2}.onesig -a %%{5} -c %%{6} -n %%{7}}}	\
 %{expand:%%{pesign -s -i %%{3}.orig -o %%{3}.onesig -a %%{5} -c %%{6} -n %%{7}}}	\
 %{expand:%%define __pesign_client_cert %{name}-signer} \
-%{expand:%%{pesign -s -i %%{2}.onesig -o %%{2} -a %%{8} -c %%{9} -n %%{10}}}	\
-%{expand:%%{pesign -s -i %%{3}.onesig -o %%{3} -a %%{8} -c %%{9} -n %%{10}}}	\
+%{expand:%%{pesign -s -i %%{2}.onesig -o %%{2} -a %%{5} -c %%{6} -n %%{7}}}	\
+%{expand:%%{pesign -s -i %%{3}.onesig -o %%{3} -a %%{5} -c %%{6} -n %%{7}}}	\
 %{nil}
 %else
 %define mkimage()						\
@ -419,14 +419,14 @@ GRUB_MODULES="	all_video boot blscfg btrfs			\\\
 		search_label serial sleep syslinuxcfg test tftp	\\\
 		version video xfs zstd "			\
 GRUB_MODULES+=%{efi_modules}					\
-%{expand:%%{mkimage %{1} %{2} %{3} %{4} %{5} %{6} %{7} %{8} %{9} %{10}}}			\
+%{expand:%%{mkimage %{1} %{2} %{3} %{4}}}			\
 %{nil}

 %define do_primary_efi_build()					\
 cd grub-%{1}-%{tarversion}					\
 %{expand:%%do_efi_configure %%{4} %%{5} %%{6}}			\
 %do_efi_build_all						\
-%{expand:%%do_efi_build_images %{grub_target_name} %{2} %{3} ./  %{7} %{8} %{9} %{10} %{11} %{12}} \
+%{expand:%%do_efi_build_images %{grub_target_name} %{2} %{3} ./ } \
 cd ..								\
 %{nil}

@ -435,7 +435,7 @@ cd grub-%{1}-%{tarversion}					\
 %{expand:%%do_efi_configure %%{4} %%{5} %%{6}}			\
 %do_efi_build_modules						\
 %{expand:%%do_efi_link_utils %{grubefiarch}}			\
-%{expand:%%do_efi_build_images %{alt_grub_target_name} %{2} %{3} ../grub-%{grubefiarch}-%{tarversion}/ %{7} %{8} %{9} %{10} %{11} %{12}} \
+%{expand:%%do_efi_build_images %{alt_grub_target_name} %{2} %{3} ../grub-%{grubefiarch}-%{tarversion}/ } \
 cd ..								\
 %{nil}

--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@ -219,3 +219,5 @@ Patch0218: 0218-powerpc-adjust-setting-of-prefix-for-signed-binary-c.patch
 Patch0219: 0219-powerpc-fix-prefix-signed-grub-special-case-for-Powe.patch
 Patch0220: 0220-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch
 Patch0221: 0221-fs-xfs-Fix-unreadable-filesystem-with-v4-superblock.patch
+Patch0222: 0222-Print-module-name-on-license-check-failure.patch
+Patch0223: 0223-powerpc-ieee1275-load-grub-at-4MB-not-2MB.patch
--- a/SOURCES/redhatsecureboot301.cer
+++ b/SOURCES/redhatsecureboot301.cer
--- a/SOURCES/redhatsecureboot502.cer
+++ b/SOURCES/redhatsecureboot502.cer
--- a/SOURCES/redhatsecurebootca3.cer
+++ b/SOURCES/redhatsecurebootca3.cer
--- a/SOURCES/redhatsecurebootca5.cer
+++ b/SOURCES/redhatsecurebootca5.cer
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@ -14,7 +14,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.06
-Release:	6%{?dist}
+Release:	13%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@ -32,10 +32,6 @@ Source9:	strtoull_test.c
 Source10:	20-grub.install
 Source11:	grub.patches
 Source12:	sbat.csv.in
-Source13:	redhatsecurebootca3.cer
-Source14:	redhatsecureboot301.cer
-Source15:	redhatsecurebootca5.cer
-Source16:	redhatsecureboot502.cer

 %include %{SOURCE1}

@ -196,10 +192,10 @@ git commit -m "After making subdirs"

 %build
 %if 0%{with_efi_arch}
-%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502}
+%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags}}
 %endif
 %if 0%{with_alt_efi_arch}
-%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502}
+%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags}}
 %endif
 %if 0%{with_legacy_arch}
 %{expand:%do_legacy_build %%{grublegacyarch}}
@ -527,25 +523,21 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 %endif

 %changelog
-* Tue Oct 05 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-6
- Fix booting with XFSv4 partitions
-  Resolves: rhbz#2006993
+* Fri Nov 19 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-13
+- Rebuild for gating; no code changes
+- Resolves: rhbz#2006784

-* Thu Sep 30 2021 Peter Jones <pjones@redhat.com> - 2.06-5
- Rebuild for correct signatures once more.
-  Resolves: rhbz#1976771
-
-* Thu Sep 30 2021 Peter Jones <pjones@redhat.com> - 2.06-4
- Rebuild for correct signatures
-  Resolves: rhbz#1976771
+* Tue Oct 26 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-12
+- Sync with beta changes (version jump because our process is bad)
+  Resolves: rhbz#2006784

 * Mon Sep 27 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-3
 - Rebuild for gating + rpminspect
-  Resolves: rhbz#1976771
+  Resolves: rhbz#2006784

 * Wed Sep 22 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-2
 - Rebuild because our CI infrastructure doesn't work right
-  Resolves: rhbz#1976771
+  Resolves: rhbz#2006784

 * Tue Aug 31 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.06-1
 - Update to 2.06 final release and ton of fixes