rpms/grub2
7
0
Fork 0
Code Issues Pull Requests Releases Activity

New package grub2-efi-x64-cc for confidential computing workloads

Browse Source 
Resolves: #RHEL-127909

Signed-off-by: Leo Sandoval <lsandova@redhat.com>
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
This commit is contained in:
Leo Sandoval 2026-03-27 12:55:55 -06:00 committed by Nicolas Frayer
parent 8823254f32
commit 8152db0a79
10 changed files with 486 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
0430-term-serial.c-default-efi0-as-serial-port-if-present.patch Normal file
View File

@ -0,0 +1,61 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Leo Sandoval <lsandova@redhat.com>
Date: Fri, 6 Feb 2026 14:28:08 -0600
Subject: [PATCH] term/serial.c: default efi0 as 'serial' port if present
Currently the port 'com0' is the default which ultimately is register
as the 'serial' port. The following change follows the same logic but
prioritizes the 'efi0' before 'com0', effectively becoming the
'serial' port in case the former is present.
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
---
grub-core/term/serial.c | 11 ++++++++++-
include/grub/serial.h | 1 +
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/grub-core/term/serial.c b/grub-core/term/serial.c
index 8260dcb7a8..fe85010532 100644
--- a/grub-core/term/serial.c
+++ b/grub-core/term/serial.c
@@ -213,10 +213,15 @@ grub_serial_find (const char *name)
#if (defined(__i386__) || defined(__x86_64__)) && !defined(GRUB_MACHINE_IEEE1275) && !defined(GRUB_MACHINE_QEMU)
if (grub_strcmp (name, "auto") == 0)
{
- /* Look for an SPCR if any. If not, default to com0. */
+ /* Look for an SPCR if any. If not, default to efi0 or com0, in that order. */
port = grub_ns8250_spcr_init ();
if (port != NULL)
return port;
+
+ FOR_SERIAL_PORTS (port)
+ if (grub_strcmp (port->name, "efi0") == 0)
+ return port;
+
FOR_SERIAL_PORTS (port)
if (grub_strcmp (port->name, "com0") == 0)
return port;
@@ -350,7 +355,11 @@ grub_cmd_serial (grub_extcmd_context_t ctxt, int argc, char **args)
#if !defined (GRUB_MACHINE_EMU) && !defined(GRUB_MACHINE_ARC) && (defined(__mips__) || defined (__i386__) || defined (__x86_64__))
/* Compatibility kludge. */
+#ifdef GRUB_MACHINE_EFI
+ if (port->driver == &grub_efiserial_driver)
+#else
if (port->driver == &grub_ns8250_driver)
+#endif
{
if (!registered)
{
diff --git a/include/grub/serial.h b/include/grub/serial.h
index d7e0635788..19cecd3161 100644
--- a/include/grub/serial.h
+++ b/include/grub/serial.h
@@ -216,6 +216,7 @@ extern void grub_pciserial_init (void);
struct grub_serial_port *grub_serial_find (const char *name);
extern struct grub_serial_driver grub_ns8250_driver;
+extern struct grub_serial_driver grub_efiserial_driver;
void EXPORT_FUNC(grub_serial_unregister_driver) (struct grub_serial_driver *driver);
#ifndef GRUB_MACHINE_EMU

56
0431-commands-tpm.c-include-PCR-check-enable-disable-func.patch Normal file
View File

@ -0,0 +1,56 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Leo Sandoval <lsandova@redhat.com>
Date: Mon, 23 Feb 2026 16:20:19 -0600
Subject: [PATCH] commands/tpm.c: include PCR check/enable/disable functions
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
---
grub-core/commands/tpm.c | 21 +++++++++++++++++++++
include/grub/tpm.h | 4 ++++
2 files changed, 25 insertions(+)
diff --git a/grub-core/commands/tpm.c b/grub-core/commands/tpm.c
index 324423ef86..b3ddbe5d3a 100644
--- a/grub-core/commands/tpm.c
+++ b/grub-core/commands/tpm.c
@@ -29,6 +29,27 @@
GRUB_MOD_LICENSE ("GPLv3+");
+/* By default, enable all PCR's */
+static grub_uint32_t pcr_mask = 0xffffffff;
+
+inline bool
+grub_tpm_pcr_is_enabled (grub_uint8_t pcr)
+{
+ return pcr_mask & ( 1 << pcr );
+}
+
+inline void
+grub_tpm_enable_pcr (grub_uint8_t pcr)
+{
+ pcr_mask |= ( 1 << pcr );
+}
+
+inline void
+grub_tpm_disable_pcr (grub_uint8_t pcr)
+{
+ pcr_mask &= ~( 1 << pcr );
+}
+
static grub_err_t
grub_tpm_verify_init (grub_file_t io,
enum grub_file_type type __attribute__ ((unused)),
diff --git a/include/grub/tpm.h b/include/grub/tpm.h
index d09783dacc..d02f0f3c22 100644
--- a/include/grub/tpm.h
+++ b/include/grub/tpm.h
@@ -46,4 +46,8 @@ grub_is_tpm_fail_fatal (void)
return grub_env_get_bool ("tpm_fail_fatal", false);
}
+bool EXPORT_FUNC(grub_tpm_pcr_is_enabled) (grub_uint8_t pcr);
+void EXPORT_FUNC(grub_tpm_enable_pcr) (grub_uint8_t pcr);
+void EXPORT_FUNC(grub_tpm_disable_pcr) (grub_uint8_t pcr);
+
#endif

26
0432-commands-efi-tpm.c-check-if-PCR-is-enable-before-TPM.patch Normal file
View File

@ -0,0 +1,26 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Leo Sandoval <lsandova@redhat.com>
Date: Mon, 23 Feb 2026 17:28:10 -0600
Subject: [PATCH] commands/efi/tpm.c: check if PCR is enable before TPM measure
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
---
grub-core/commands/efi/tpm.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/grub-core/commands/efi/tpm.c b/grub-core/commands/efi/tpm.c
index f250c30dbc..cfddeb8719 100644
--- a/grub-core/commands/efi/tpm.c
+++ b/grub-core/commands/efi/tpm.c
@@ -273,6 +273,11 @@ grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
grub_efi_handle_t tpm_handle;
grub_efi_uint8_t protocol_version;
+ grub_dprintf ("tpm", "PCR %d %s\n", pcr, grub_tpm_pcr_is_enabled (pcr) ? "enabled" : "disabled");
+
+ if (!grub_tpm_pcr_is_enabled (pcr))
+ return GRUB_ERR_NONE;
+
grub_cc_log_event(buf, size, pcr, description);
if (!grub_tpm_handle_find (&tpm_handle, &protocol_version))

73
0433-tpm.c-disable-PCR8-measurements-at-the-configuration.patch Normal file
View File

@ -0,0 +1,73 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Leo Sandoval <lsandova@redhat.com>
Date: Tue, 24 Feb 2026 10:43:20 -0600
Subject: [PATCH] tpm.c: disable PCR8 measurements at the configuration step
At the configuration step, we can disable PCR8 measurements through
the configure parameter `--with-pcr8-disabled=yes`.
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
---
config.h.in | 1 +
configure.ac | 12 ++++++++++++
grub-core/commands/tpm.c | 5 +++++
3 files changed, 18 insertions(+)
diff --git a/config.h.in b/config.h.in
index 39f4e5472c..54a29a1719 100644
--- a/config.h.in
+++ b/config.h.in
@@ -17,6 +17,7 @@
#define DISK_CACHE_STATS @DISK_CACHE_STATS@
#define BOOT_TIME_STATS @BOOT_TIME_STATS@
#define DEBUG_WITH_TIMESTAMPS @DEBUG_WITH_TIMESTAMPS@
+#define DISABLE_PCR8 @DISABLE_PCR8@
/* We don't need those. */
#define MINILZO_CFG_SKIP_LZO_PTR 1
diff --git a/configure.ac b/configure.ac
index a6a6957fbd..b37914440a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1699,6 +1699,17 @@ else
fi
AC_SUBST([DEBUG_WITH_TIMESTAMPS])
+AC_ARG_WITH([pcr8-disabled],
+ AS_HELP_STRING([--with-pcr8-disabled],
+ [disable PCR8 measurements]))
+
+if test x$with_pcr8_disabled = xyes; then
+ DISABLE_PCR8=1
+else
+ DISABLE_PCR8=0
+fi
+AC_SUBST([DISABLE_PCR8])
+
AC_ARG_ENABLE([grub-emu-sdl2],
[AS_HELP_STRING([--enable-grub-emu-sdl2],
[build and install the `grub-emu' debugging utility with SDL2 support (default=guessed)])])
@@ -2310,6 +2321,7 @@ AM_CONDITIONAL([COND_ENABLE_EFIEMU], [test x$enable_efiemu = xyes])
AM_CONDITIONAL([COND_ENABLE_CACHE_STATS], [test x$DISK_CACHE_STATS = x1])
AM_CONDITIONAL([COND_ENABLE_BOOT_TIME_STATS], [test x$BOOT_TIME_STATS = x1])
AM_CONDITIONAL([COND_DEBUG_WITH_TIMESTAMPS], [test x$DEBUG_WITH_TIMESTAMPS = x1])
+AM_CONDITIONAL([COND_DISABLE_PCR8], [test x$DISABLE_PCR8 = x1])
AM_CONDITIONAL([COND_HAVE_CXX], [test x$HAVE_CXX = xyes])
diff --git a/grub-core/commands/tpm.c b/grub-core/commands/tpm.c
index b3ddbe5d3a..6e9480568c 100644
--- a/grub-core/commands/tpm.c
+++ b/grub-core/commands/tpm.c
@@ -57,6 +57,11 @@ grub_tpm_verify_init (grub_file_t io,
{
*context = io->name;
*flags |= GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
+
+#if DISABLE_PCR8
+ grub_tpm_disable_pcr (GRUB_STRING_PCR);
+#endif
+
return GRUB_ERR_NONE;
}

112
0434-Add-support-for-efi-keyword.patch Normal file
View File

@ -0,0 +1,112 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Marta Lewandowska <mlewando@redhat.com>
Date: Fri, 27 Mar 2026 11:15:27 +0100
Subject: [PATCH] Add support for the efi keyword
Add support for UKIs using the efi keyword in BLS snippets.
Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
---
grub-core/commands/blscfg.c | 53 +++++++++++++++++++++++++++++++++++----------
1 file changed, 42 insertions(+), 11 deletions(-)
diff --git a/grub-core/commands/blscfg.c b/grub-core/commands/blscfg.c
index 38913d696486..6fc621400a31 100644
--- a/grub-core/commands/blscfg.c
+++ b/grub-core/commands/blscfg.c
@@ -762,6 +762,7 @@ static void create_entry (struct bls_entry *entry)
char *title = NULL;
char *clinux = NULL;
+ char *cuki = NULL;
char *options = NULL;
char **initrds = NULL;
char *initrd = NULL;
@@ -785,10 +786,19 @@ static void create_entry (struct bls_entry *entry)
grub_dprintf("blscfg", "%s got here\n", __func__);
clinux = bls_get_val (entry, "linux", NULL);
- if (!clinux)
+ cuki = bls_get_val (entry, "efi", NULL);
+ if (!clinux && !cuki)
{
- grub_dprintf ("blscfg", "Skipping file %s with no 'linux' key.\n", entry->filename);
- goto finish;
+ if (!clinux)
+ {
+ grub_dprintf ("blscfg", "Skipping file %s with no 'linux' key.\n", entry->filename);
+ goto finish;
+ }
+ if (!cuki)
+ {
+ grub_dprintf ("blscfg", "Skipping file %s with no 'efi' key.\n", entry->filename);
+ goto finish;
+ }
}
/*
@@ -801,12 +811,6 @@ static void create_entry (struct bls_entry *entry)
if (dotconf)
dotconf[0] = '\0';
- title = bls_get_val (entry, "title", NULL);
- options = expand_val (bls_get_val (entry, "options", NULL));
-
- if (!options)
- options = expand_val (grub_env_get("default_kernelopts"));
-
initrds = bls_make_list (entry, "initrd", NULL);
devicetree = expand_val (bls_get_val (entry, "devicetree", NULL));
@@ -825,6 +829,22 @@ static void create_entry (struct bls_entry *entry)
argc += 1;
argv = grub_malloc ((argc + 1) * sizeof (char *));
argv[0] = title ? title : clinux;
+
+ title = bls_get_val (entry, "title", NULL);
+ if (clinux)
+ {
+ argv[0] = title ? title : clinux;
+ options = expand_val (bls_get_val (entry, "options", NULL));
+ if (!options)
+ options = expand_val (grub_env_get("default_kernelopts"));
+ }
+ if (cuki)
+ {
+ argv[0] = title ? title : cuki;
+ options = bls_get_val (entry, ".cmdline", NULL);
+ if (!options)
+ options = expand_val (bls_get_val (entry, "options", NULL));
+ }
for (i = 1; i < argc; i++)
argv[i] = args[i-1];
argv[argc] = NULL;
@@ -945,7 +965,9 @@ static void create_entry (struct bls_entry *entry)
const char *sdval = grub_env_get("save_default");
bool savedefault = ((NULL != sdval) && (grub_strcmp(sdval, "true") == 0));
- src = grub_xasprintf ("%sload_video\n"
+ if(clinux)
+ {
+ src = grub_xasprintf ("%sload_video\n"
"set gfxpayload=keep\n"
"insmod gzio\n"
"linux %s%s%s%s\n"
@@ -954,7 +976,16 @@ static void create_entry (struct bls_entry *entry)
separate_boot ? GRUB_BOOT_DEVICE : "",
clinux, options ? " " : "", options ? options : "",
initrd ? initrd : "", dt ? dt : "");
-
+ }
+ if(cuki)
+ {
+ src = grub_xasprintf ("%schainloader %s%s%s%s\n",
+ savedefault ? "savedefault\n" : "",
+ separate_boot ? GRUB_BOOT_DEVICE : "",
+ cuki,
+ (options != NULL) ? " " : "",
+ (options != NULL) ? options : "");
+ }
grub_normal_add_menu_entry (argc, argv, classes, id, users, hotkey, NULL, src, 0, &index, entry, NULL);
grub_dprintf ("blscfg", "Added entry %d id:\"%s\"\n", index, id);

2
grub-cc-prefix-embedded.cfg Normal file
View File

@ -0,0 +1,2 @@
set prefix='(memdisk)/grub2'
configfile $prefix/grub.cfg

2
grub-cc.cfg Normal file
View File

@ -0,0 +1,2 @@
set timeout=5
blscfg

129
grub-cc.macros Normal file
View File

@ -0,0 +1,129 @@
%global evr_cc %{epoch}:%{version}-%{release}
%global libdir_cc %{_exec_prefix}/lib
%global os_id_cc %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
%global grub_evr_dir_cc %{libdir_cc}/efi/grub2/%{evr_cc}
%global grub_efi_cc_dir %{grub_evr_dir_cc}/EFI/%{os_id_cc}/cc
%global grubeficcname grub%{efiarch}-cc.efi
%global grubeficccdname gcd%{efiarch}-cc.efi
%global grub_cc_modules " all_video boot blscfg blsuki \\\
cat configfile cryptodisk \\\
echo fat font \\\
gcry_rijndael gcry_rsa gcry_serpent \\\
gcry_sha256 gcry_twofish gcry_whirlpool \\\
gfxmenu gfxterm gzio \\\
halt increment \\\
loadenv loopback linux lvm luks \\\
luks2 \\\
memdisk \\\
minicmd \\\
normal part_msdos part_gpt \\\
password_pbkdf2 pgp reboot regexp \\\
search search_fs_uuid search_fs_file \\\
search_label serial sleep \\\
syslinuxcfg \\\
test version video zstd " \
%global efi_cc_modules " efi_netfs efifwsetup efinet lsefi lsefimmap connectefi bli "
%global cc_modules " backtrace chain tpm "
%define define_efi_cc_variant(o) \
%{expand:%%package %{1}-cc} \
Summary: GRUB for EFI systems. \
Requires: efi-filesystem \
Requires: grub2-common = %{evr} \
Requires: grub2-tools-minimal >= %{evr} \
Requires: grub2-tools = %{evr} \
Provides: grub2-efi-cc= %{evr} \
%{?legacy_provides:Provides: grub2 = %{evr}} \
%{-o:Obsoletes: grub2-efi < %{evr}} \
\
%{expand:%%description %{1}-cc} \
%{desc} \
This subpackage provides support for Confidential Computing %{1} systems. \
\
%{expand:%%{?!buildsubdir:%%define buildsubdir grub-%{1}-%{tarversion}-cc}}\
%define do_primary_efi_cc_build() \
cd grub-%{1}-%{tarversion}-cc \
%{expand:%%do_efi_cc_configure %%{4} %%{5} %%{6}} \
%do_efi_build_all \
%{expand:%%do_efi_cc_build_images %{grub_target_name} %{2} %{3} ./ %%{7} %%{8} %%{9}} \
cd .. \
%{nil}
%define do_efi_cc_configure() \
%configure \\\
%{cc_equals} \\\
HOST_CFLAGS="%{3}" \\\
HOST_CPPFLAGS="-I$(pwd)" \\\
HOST_LDFLAGS="%{efi_host_ldflags}" \\\
TARGET_CFLAGS="%{2}" \\\
TARGET_CPPFLAGS="-I$(pwd)" \\\
TARGET_LDFLAGS="%{efi_target_ldflags}" \\\
--with-rpm-version=%{version}-%{release} \\\
--with-platform=efi \\\
--with-utils=host \\\
--with-pcr8-disabled=yes \\\
--target=%{1} \\\
--with-grubdir=grub2 \\\
--program-transform-name=s,grub,grub2, \\\
--disable-werror || ( cat config.log ; exit 1 ) \
git add . \
git commit -m "After efi confidential computing configure" \
%{nil}
%define do_efi_cc_build_images() \
GRUB_MODULES+=%{grub_cc_modules} \
GRUB_MODULES+=%{efi_cc_modules} \
GRUB_MODULES+=%{cc_modules} \
%{expand:%%{efi_cc_mkimage %%{1} %%{2} %%{3} %%{4} %%{5} %%{6} %%{7}}} \
%{nil}
%define efi_cc_mkimage() \
mkdir -p memdisk/fonts memdisk/grub2 \
cp %{4}/unicode.pf2 memdisk/fonts \
cp %{SOURCE16} memdisk/grub2/grub.cfg \
mksquashfs memdisk memdisk.squashfs -comp lzo \
%{4}./grub-mkimage -O %{1} -o %{2}.orig \\\
-d grub-core \\\
--sbat %{4}./sbat.csv \\\
-m memdisk.squashfs \\\
-c '%{SOURCE17}' \\\
-p /EFI/%{efi_vendor} \\\
${GRUB_MODULES} \
%{4}./grub-mkimage -O %{1} -o %{3}.orig \\\
-d grub-core \\\
--sbat %{4}./sbat.csv \\\
-c '%{SOURCE17}' \\\
-m memdisk.squashfs \\\
-p /EFI/BOOT \\\
${GRUB_MODULES} \
%{expand:%%define ___pesign_client_cert %{?___pesign_client_cert}%{!?___pesign_client_cert:%{__pesign_client_cert}}} \
%{?__pesign_client_cert:%{expand:%%define __pesign_client_cert %{___pesign_client_cert}}} \
%{expand:%%{pesign -s -i %%{2}.orig -o %%{2} -a %%{5} -c %%{6} -n %%{7}}} \
%{expand:%%{pesign -s -i %%{3}.orig -o %%{3} -a %%{5} -c %%{6} -n %%{7}}} \
%{nil}
%{nil}
%define do_efi_cc_install() \
cd grub-%{1}-%{tarversion}-cc \
install -d -m 0700 ${RPM_BUILD_ROOT}%{grub_efi_cc_dir}/ \
install -m 700 %{2} $RPM_BUILD_ROOT%{grub_efi_cc_dir}/%{2} \
%{expand:%%do_install_protected_file grub2-%{package_arch}-cc} \
cd .. \
%{nil}
%define define_efi_cc_variant_files() \
%{expand:%%files %{1}-cc} \
%defattr(-,root,root,-) \
%dir %attr(0700,root,root) %{grub_efi_cc_dir} \
%attr(0700,root,root) %{grub_efi_cc_dir}/%{2} \
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/grub2-%{1}-cc.conf \
%{expand:%if 0%{?without_efi_modules} \
%exclude %{_libdir}/grub/%{6} \
%exclude %{_libdir}/grub/%{6}/* \
%endif} \

5
grub.patches
View File

@ -426,3 +426,8 @@ Patch0426: 0426-commands-search.c-check-possible-NULL-pointer-before.patch
Patch0427: 0427-util-grub-mkimagexx-Stop-generating-unaligned-append.patch
Patch0428: 0428-grub-mkimage-Do-not-generate-empty-SBAT-metadata.patch
Patch0429: 0429-kern-efi-mm-Change-grub_efi_mm_add_regions-to-keep-t.patch
Patch0430: 0430-term-serial.c-default-efi0-as-serial-port-if-present.patch
Patch0431: 0431-commands-tpm.c-include-PCR-check-enable-disable-func.patch
Patch0432: 0432-commands-efi-tpm.c-check-if-PCR-is-enable-before-TPM.patch
Patch0433: 0433-tpm.c-disable-PCR8-measurements-at-the-configuration.patch
Patch0434: 0434-Add-support-for-efi-keyword.patch

22
grub2.spec
View File

@ -17,7 +17,7 @@
Name: grub2
Epoch: 1
Version: 2.12
Release: 45%{?dist}
Release: 46%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more
License: GPL-3.0-or-later
URL: http://www.gnu.org/software/grub/
@ -37,8 +37,12 @@ Source11: grub.patches
Source12: sbat.csv.in
Source13: gen_grub_cfgstub
Source14: sbat.ppc.csv
Source15: grub-cc.macros
Source16: grub-cc.cfg
Source17: grub-cc-prefix-embedded.cfg
%include %{SOURCE1}
%include %{SOURCE15}
%ifarch x86_64 aarch64
%define sb_ca %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
@ -178,6 +182,7 @@ This subpackage provides tools for support of all platforms.
%if 0%{with_efi_arch}
%{expand:%define_efi_variant %%{package_arch} -o}
%{expand:%define_efi_cc_variant %%{package_arch} -o}
%endif
%if 0%{with_alt_efi_arch}
%{expand:%define_efi_variant %%{alt_package_arch}}
@ -213,6 +218,12 @@ cp %{SOURCE4} grub-%{grubefiarch}-%{tarversion}/unifont.pcf.gz
sed -e "s,@@VERSION@@,%{version},g" -e "s,@@VERSION_RELEASE@@,%{version}-%{release},g" \
%{SOURCE12} > grub-%{grubefiarch}-%{tarversion}/sbat.csv
git add grub-%{grubefiarch}-%{tarversion}
mkdir grub-%{grubefiarch}-%{tarversion}-cc
grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grubefiarch}-%{tarversion}-cc/.gitignore
cp %{SOURCE4} grub-%{grubefiarch}-%{tarversion}-cc/unifont.pcf.gz
sed -e "s,@@VERSION@@,%{version},g" -e "s,@@VERSION_RELEASE@@,%{version}-%{release},g" \
%{SOURCE12} > grub-%{grubefiarch}-%{tarversion}-cc/sbat.csv
git add grub-%{grubefiarch}-%{tarversion}-cc
%endif
%if 0%{with_alt_efi_arch}
mkdir grub-%{grubaltefiarch}-%{tarversion}
@ -237,6 +248,7 @@ git commit -m "After making subdirs"
%build
%if 0%{with_efi_arch}
%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{sb_ca} %{sb_cer} %{sb_key}}
%{expand:%do_primary_efi_cc_build %%{grubefiarch} %%{grubeficcname} %%{grubeficccdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{sb_ca} %{sb_cer} %{sb_key}}
%endif
%if 0%{with_alt_efi_arch}
%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{sb_ca} %{sb_cer} %{sb_key}}
@ -266,6 +278,7 @@ rm -fr $RPM_BUILD_ROOT
%do_common_install
%if 0%{with_efi_arch}
%{expand:%do_efi_install %%{grubefiarch} %%{grubefiname} %%{grubeficdname}}
%{expand:%do_efi_cc_install %%{grubefiarch} %%{grubeficcname} %%{grubeficccdname}}
%endif
%if 0%{with_alt_efi_arch}
%{expand:%do_alt_efi_install %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname}}
@ -560,6 +573,7 @@ fi
%if 0%{with_efi_arch}
%{expand:%define_efi_variant_files %%{package_arch} %%{grubefiname} %%{grubeficdname} %%{grubefiarch} %%{target_cpu_name} %%{grub_target_name}}
%{expand:%define_efi_cc_variant_files %%{package_arch} %%{grubeficcname} %%{grubeficccdname} %%{grubefiarch} %%{target_cpu_name} %%{grub_target_name}}
%endif
%if 0%{with_alt_efi_arch}
%{expand:%define_efi_variant_files %%{alt_package_arch} %%{grubaltefiname} %%{grubalteficdname} %%{grubaltefiarch} %%{alt_target_cpu_name} %%{alt_grub_target_name}}
@ -579,7 +593,11 @@ fi
%endif
%changelog
* Tue Feb 10 2026 Marta Lewandowska <mlewando@redhat.com> - 2.12-45
* Fri Mar 27 2026 Leo Sandoval <lsandova@redhat.com> - 2.12-46
- New package grub2-efi-x64-cc for confidential computing workloads
- Resolves: #RHEL-127909
* Tue Mar 10 2026 Marta Lewandowska <mlewando@redhat.com> - 2.12-45
- Try to get gating tests running via fmf/tmt
- Resolves: #RHEL-147757