diff --git a/SOURCES/0179-Add-suport-for-signing-grub-with-an-appended-signatu.patch b/SOURCES/0179-Add-suport-for-signing-grub-with-an-appended-signatu.patch index a863298..caab8d5 100644 --- a/SOURCES/0179-Add-suport-for-signing-grub-with-an-appended-signatu.patch +++ b/SOURCES/0179-Add-suport-for-signing-grub-with-an-appended-signatu.patch @@ -44,12 +44,12 @@ I will be proposing this for inclusion in a future Power Architecture Platform Reference (PAPR). --- util/grub-install-common.c | 18 ++++++++++++++++-- - util/grub-mkimage.c | 16 ++++++++++++++-- + util/grub-mkimage.c | 15 +++++++++++++-- util/grub-mkimagexx.c | 39 ++++++++++++++++++++++++++++++++++++++- util/mkimage.c | 13 +++++++------ include/grub/util/install.h | 8 ++++++-- include/grub/util/mkimage.h | 4 ++-- - 6 files changed, 83 insertions(+), 15 deletions(-) + 6 files changed, 82 insertions(+), 15 deletions(-) diff --git a/util/grub-install-common.c b/util/grub-install-common.c index 4e212e690c5..aab2a941f85 100644 @@ -106,14 +106,14 @@ index 4e212e690c5..aab2a941f85 100644 while (dc--) grub_install_pop_module (); diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c -index c0d55993702..26d1ecbf74e 100644 +index c0d55993702..8a53310548b 100644 --- a/util/grub-mkimage.c +++ b/util/grub-mkimage.c @@ -84,6 +84,7 @@ static struct argp_option options[] = { {"sbat", 's', N_("FILE"), 0, N_("SBAT metadata"), 0}, {"disable-shim-lock", GRUB_INSTALL_OPTIONS_DISABLE_SHIM_LOCK, 0, 0, N_("disable shim_lock verifier"), 0}, {"verbose", 'v', 0, 0, N_("print verbose messages."), 0}, -+ {"appended-signature-size", 's', N_("SIZE"), 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), 0}, ++ {"appended-signature-size", 'S', N_("SIZE"), 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), 0}, { 0, 0, 0, 0, 0, 0 } }; @@ -147,14 +147,13 @@ index c0d55993702..26d1ecbf74e 100644 case 'm': if (arguments->memdisk) free (arguments->memdisk); -@@ -324,8 +334,10 @@ main (int argc, char *argv[]) +@@ -324,8 +334,9 @@ main (int argc, char *argv[]) arguments.memdisk, arguments.pubkeys, arguments.npubkeys, arguments.config, arguments.image_target, arguments.note, - arguments.comp, arguments.dtb, - arguments.sbat, arguments.disable_shim_lock); -+ -+ arguments.comp, arguments.appsig_size, ++ arguments.appsig_size, arguments.comp, + arguments.dtb, arguments.sbat, + arguments.disable_shim_lock); diff --git a/SOURCES/0191-grub-install-support-embedding-x509-certificates.patch b/SOURCES/0191-grub-install-support-embedding-x509-certificates.patch index 04722ad..bd02e6d 100644 --- a/SOURCES/0191-grub-install-support-embedding-x509-certificates.patch +++ b/SOURCES/0191-grub-install-support-embedding-x509-certificates.patch @@ -94,7 +94,7 @@ index aab2a941f85..422f82362c7 100644 disable_shim_lock); while (dc--) diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c -index 26d1ecbf74e..c5cdda498eb 100644 +index 8a53310548b..e1f1112784a 100644 --- a/util/grub-mkimage.c +++ b/util/grub-mkimage.c @@ -75,7 +75,8 @@ static struct argp_option options[] = { @@ -138,8 +138,8 @@ index 26d1ecbf74e..c5cdda498eb 100644 + arguments.npubkeys, arguments.x509keys, + arguments.nx509keys, arguments.config, arguments.image_target, arguments.note, - - arguments.comp, arguments.appsig_size, + arguments.appsig_size, arguments.comp, + arguments.dtb, arguments.sbat, diff --git a/util/mkimage.c b/util/mkimage.c index bab12276010..8319e8dfbde 100644 --- a/util/mkimage.c diff --git a/SOURCES/0222-Print-module-name-on-license-check-failure.patch b/SOURCES/0222-Print-module-name-on-license-check-failure.patch new file mode 100644 index 0000000..c4b9a13 --- /dev/null +++ b/SOURCES/0222-Print-module-name-on-license-check-failure.patch @@ -0,0 +1,48 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 12 Oct 2021 12:34:23 -0400 +Subject: [PATCH] Print module name on license check failure + +At the very least, this will make it easier to track down the problem +module - or, if something else has gone wrong, provide more information +for debugging. + +Signed-off-by: Robbie Harwood +--- + grub-core/kern/dl.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c +index 9557254035e..f3044945742 100644 +--- a/grub-core/kern/dl.c ++++ b/grub-core/kern/dl.c +@@ -528,14 +528,16 @@ grub_dl_find_section_index (Elf_Ehdr *e, const char *name) + Be sure to understand your license obligations. + */ + static grub_err_t +-grub_dl_check_license (Elf_Ehdr *e) ++grub_dl_check_license (grub_dl_t mod, Elf_Ehdr *e) + { + Elf_Shdr *s = grub_dl_find_section (e, ".module_license"); + if (s && (grub_strcmp ((char *) e + s->sh_offset, "LICENSE=GPLv3") == 0 + || grub_strcmp ((char *) e + s->sh_offset, "LICENSE=GPLv3+") == 0 + || grub_strcmp ((char *) e + s->sh_offset, "LICENSE=GPLv2+") == 0)) + return GRUB_ERR_NONE; +- return grub_error (GRUB_ERR_BAD_MODULE, "incompatible license"); ++ return grub_error (GRUB_ERR_BAD_MODULE, ++ "incompatible license in module %s: %s", mod->name, ++ (char *) e + s->sh_offset); + } + + static grub_err_t +@@ -743,8 +745,8 @@ grub_dl_load_core_noinit (void *addr, grub_size_t size) + constitutes linking) and GRUB core being licensed under GPLv3+. + Be sure to understand your license obligations. + */ +- if (grub_dl_check_license (e) +- || grub_dl_resolve_name (mod, e) ++ if (grub_dl_resolve_name (mod, e) ++ || grub_dl_check_license (mod, e) + || grub_dl_resolve_dependencies (mod, e) + || grub_dl_load_segments (mod, e) + || grub_dl_resolve_symbols (mod, e) diff --git a/SOURCES/0223-powerpc-ieee1275-load-grub-at-4MB-not-2MB.patch b/SOURCES/0223-powerpc-ieee1275-load-grub-at-4MB-not-2MB.patch new file mode 100644 index 0000000..a80727e --- /dev/null +++ b/SOURCES/0223-powerpc-ieee1275-load-grub-at-4MB-not-2MB.patch @@ -0,0 +1,106 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Fri, 22 Oct 2021 09:53:15 +1100 +Subject: [PATCH] powerpc-ieee1275: load grub at 4MB, not 2MB + +This was first reported under PFW but reproduces under SLOF. + + - The core.elf was 2126152 = 0x207148 bytes in size with the following + program headers (per readelf): + +Entry point 0x200000 +There are 4 program headers, starting at offset 52 + +Program Headers: + Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align + LOAD 0x000160 0x00200000 0x00200000 0x21f98 0x2971c RWE 0x8 + GNU_STACK 0x0220f8 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4 + LOAD 0x0220f8 0x00232000 0x00232000 0x1e4e50 0x1e4e50 RWE 0x4 + NOTE 0x206f48 0x00000000 0x00000000 0x00200 0x00000 R 0x4 + + - SLOF places the ELF file at 0x4000 (after the reserved space for + interrupt handlers etc.) upwards. The image was 2126152 = 0x207148 + bytes in size, so it runs from 0x4000 - 0x20b148. We'll call 0x4000 the + load address. + +0x0 0x4000 0x20b148 + |----------|--------------| + | reserved | ELF contents | + + - SLOF then copies the first LOAD program header (for .text). That runs + for 0x21f98 bytes. It runs from + (load addr + 0x160) to (load addr + 0x160 + 0x21f98) + = 0x4160 to 0x260f8 + and we copy it to 0x200000 to 0x221f98. This overwrites the end of the + image: + +0x0 0x4000 0x200000 0x221f98 + |----------|------------|---------------| + | reserved | ELF cont.. | .text section | + + - SLOF zeros the bss up to PhysAddr + MemSize = 0x22971c + +0x0 0x4000 0x200000 0x221f98 0x22971c + |----------|------------|---------------|--------| + | reserved | ELF cont.. | .text section | bss 0s | + + - SLOF then goes to fulfil the next LOAD header (for mods), which is + for 0x1e4e50 bytes. We copy from + (load addr + 0x220f8) to (load addr + 0x220f8 + 0x1e4e50) + = 0x260f8 to 0x20af48 + and we copy it to 0x232000 to 0x416e50: + +0x0 0x4000 0x200000 0x221f98 0x22971c + |----------|------------|---------------|--------| + | reserved | ELF cont.. | .text section | bss 0s | + |-------------| + | copied area | + 0x260f8 0x20af48 + + This goes poorly: + +0x0 0x4000 0x200000 0x221f98 0x22971c 0x232000 0x40bf08 0x416e50 + |----------|------------|---------------|--------|-----|-----------|-------------| + | reserved | ELF cont.. | .text section | bss 0s | pad | some mods | .text start | + +This matches the observations on the running system - 0x40bf08 was where +the contents of memory no longer matched the contents of the ELF file. + +This was reported as a license verification failure on SLOF as the +last module's .module_license section fell past where the corruption +began. + +Signed-off-by: Daniel Axtens +[rharwood@redhat.com: trim very detailed commit message] +Signed-off-by: Robbie Harwood +--- + grub-core/Makefile.core.def | 2 +- + include/grub/offsets.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def +index 3f3459b2c70..6b00eb55575 100644 +--- a/grub-core/Makefile.core.def ++++ b/grub-core/Makefile.core.def +@@ -89,7 +89,7 @@ kernel = { + i386_xen_pvh_ldflags = '$(TARGET_IMG_BASE_LDOPT),0x100000'; + + mips_loongson_ldflags = '-Wl,-Ttext,0x80200000'; +- powerpc_ieee1275_ldflags = '-Wl,-Ttext,0x200000'; ++ powerpc_ieee1275_ldflags = '-Wl,-Ttext,0x400000'; + sparc64_ieee1275_ldflags = '-Wl,-Ttext,0x4400'; + mips_arc_ldflags = '-Wl,-Ttext,$(TARGET_LINK_ADDR)'; + mips_qemu_mips_ldflags = '-Wl,-Ttext,0x80200000'; +diff --git a/include/grub/offsets.h b/include/grub/offsets.h +index 871e1cd4c38..69211aa798b 100644 +--- a/include/grub/offsets.h ++++ b/include/grub/offsets.h +@@ -63,7 +63,7 @@ + #define GRUB_KERNEL_SPARC64_IEEE1275_LINK_ADDR 0x4400 + + #define GRUB_KERNEL_POWERPC_IEEE1275_LINK_ALIGN 4 +-#define GRUB_KERNEL_POWERPC_IEEE1275_LINK_ADDR 0x200000 ++#define GRUB_KERNEL_POWERPC_IEEE1275_LINK_ADDR 0x400000 + + #define GRUB_KERNEL_MIPS_LOONGSON_LINK_ADDR 0x80200000 + diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros index 6169745..5863037 100644 --- a/SOURCES/grub.macros +++ b/SOURCES/grub.macros @@ -391,8 +391,8 @@ rm -f %{1}.conf \ %{expand:%%{pesign -s -i %%{2}.orig -o %%{2}.onesig -a %%{5} -c %%{6} -n %%{7}}} \ %{expand:%%{pesign -s -i %%{3}.orig -o %%{3}.onesig -a %%{5} -c %%{6} -n %%{7}}} \ %{expand:%%define __pesign_client_cert %{name}-signer} \ -%{expand:%%{pesign -s -i %%{2}.onesig -o %%{2} -a %%{8} -c %%{9} -n %%{10}}} \ -%{expand:%%{pesign -s -i %%{3}.onesig -o %%{3} -a %%{8} -c %%{9} -n %%{10}}} \ +%{expand:%%{pesign -s -i %%{2}.onesig -o %%{2} -a %%{5} -c %%{6} -n %%{7}}} \ +%{expand:%%{pesign -s -i %%{3}.onesig -o %%{3} -a %%{5} -c %%{6} -n %%{7}}} \ %{nil} %else %define mkimage() \ @@ -419,14 +419,14 @@ GRUB_MODULES=" all_video boot blscfg btrfs \\\ search_label serial sleep syslinuxcfg test tftp \\\ version video xfs zstd " \ GRUB_MODULES+=%{efi_modules} \ -%{expand:%%{mkimage %{1} %{2} %{3} %{4} %{5} %{6} %{7} %{8} %{9} %{10}}} \ +%{expand:%%{mkimage %{1} %{2} %{3} %{4}}} \ %{nil} %define do_primary_efi_build() \ cd grub-%{1}-%{tarversion} \ %{expand:%%do_efi_configure %%{4} %%{5} %%{6}} \ %do_efi_build_all \ -%{expand:%%do_efi_build_images %{grub_target_name} %{2} %{3} ./ %{7} %{8} %{9} %{10} %{11} %{12}} \ +%{expand:%%do_efi_build_images %{grub_target_name} %{2} %{3} ./ } \ cd .. \ %{nil} @@ -435,7 +435,7 @@ cd grub-%{1}-%{tarversion} \ %{expand:%%do_efi_configure %%{4} %%{5} %%{6}} \ %do_efi_build_modules \ %{expand:%%do_efi_link_utils %{grubefiarch}} \ -%{expand:%%do_efi_build_images %{alt_grub_target_name} %{2} %{3} ../grub-%{grubefiarch}-%{tarversion}/ %{7} %{8} %{9} %{10} %{11} %{12}} \ +%{expand:%%do_efi_build_images %{alt_grub_target_name} %{2} %{3} ../grub-%{grubefiarch}-%{tarversion}/ } \ cd .. \ %{nil} diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches index f474e1f..0d1e9c7 100644 --- a/SOURCES/grub.patches +++ b/SOURCES/grub.patches @@ -219,3 +219,5 @@ Patch0218: 0218-powerpc-adjust-setting-of-prefix-for-signed-binary-c.patch Patch0219: 0219-powerpc-fix-prefix-signed-grub-special-case-for-Powe.patch Patch0220: 0220-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch Patch0221: 0221-fs-xfs-Fix-unreadable-filesystem-with-v4-superblock.patch +Patch0222: 0222-Print-module-name-on-license-check-failure.patch +Patch0223: 0223-powerpc-ieee1275-load-grub-at-4MB-not-2MB.patch diff --git a/SOURCES/redhatsecureboot301.cer b/SOURCES/redhatsecureboot301.cer deleted file mode 100644 index 4ff8b79..0000000 Binary files a/SOURCES/redhatsecureboot301.cer and /dev/null differ diff --git a/SOURCES/redhatsecureboot502.cer b/SOURCES/redhatsecureboot502.cer deleted file mode 100644 index be0b5e2..0000000 Binary files a/SOURCES/redhatsecureboot502.cer and /dev/null differ diff --git a/SOURCES/redhatsecurebootca3.cer b/SOURCES/redhatsecurebootca3.cer deleted file mode 100644 index b235400..0000000 Binary files a/SOURCES/redhatsecurebootca3.cer and /dev/null differ diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer deleted file mode 100644 index dfb0284..0000000 Binary files a/SOURCES/redhatsecurebootca5.cer and /dev/null differ diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec index a3301b1..4ad3926 100644 --- a/SPECS/grub2.spec +++ b/SPECS/grub2.spec @@ -14,7 +14,7 @@ Name: grub2 Epoch: 1 Version: 2.06 -Release: 6%{?dist} +Release: 13%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -32,10 +32,6 @@ Source9: strtoull_test.c Source10: 20-grub.install Source11: grub.patches Source12: sbat.csv.in -Source13: redhatsecurebootca3.cer -Source14: redhatsecureboot301.cer -Source15: redhatsecurebootca5.cer -Source16: redhatsecureboot502.cer %include %{SOURCE1} @@ -196,10 +192,10 @@ git commit -m "After making subdirs" %build %if 0%{with_efi_arch} -%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502} +%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags}} %endif %if 0%{with_alt_efi_arch} -%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502} +%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags}} %endif %if 0%{with_legacy_arch} %{expand:%do_legacy_build %%{grublegacyarch}} @@ -527,25 +523,21 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg %endif %changelog -* Tue Oct 05 2021 Robbie Harwood - 2.06-6 -- Fix booting with XFSv4 partitions - Resolves: rhbz#2006993 +* Fri Nov 19 2021 Robbie Harwood - 2.06-13 +- Rebuild for gating; no code changes +- Resolves: rhbz#2006784 -* Thu Sep 30 2021 Peter Jones - 2.06-5 -- Rebuild for correct signatures once more. - Resolves: rhbz#1976771 - -* Thu Sep 30 2021 Peter Jones - 2.06-4 -- Rebuild for correct signatures - Resolves: rhbz#1976771 +* Tue Oct 26 2021 Robbie Harwood - 2.06-12 +- Sync with beta changes (version jump because our process is bad) + Resolves: rhbz#2006784 * Mon Sep 27 2021 Robbie Harwood - 2.06-3 - Rebuild for gating + rpminspect - Resolves: rhbz#1976771 + Resolves: rhbz#2006784 * Wed Sep 22 2021 Robbie Harwood - 2.06-2 - Rebuild because our CI infrastructure doesn't work right - Resolves: rhbz#1976771 + Resolves: rhbz#2006784 * Tue Aug 31 2021 Javier Martinez Canillas - 2.06-1 - Update to 2.06 final release and ton of fixes