diff --git a/0430-term-serial.c-default-efi0-as-serial-port-if-present.patch b/0430-term-serial.c-default-efi0-as-serial-port-if-present.patch new file mode 100644 index 0000000..0b9bc6d --- /dev/null +++ b/0430-term-serial.c-default-efi0-as-serial-port-if-present.patch @@ -0,0 +1,61 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Leo Sandoval +Date: Fri, 6 Feb 2026 14:28:08 -0600 +Subject: [PATCH] term/serial.c: default efi0 as 'serial' port if present + +Currently the port 'com0' is the default which ultimately is register +as the 'serial' port. The following change follows the same logic but +prioritizes the 'efi0' before 'com0', effectively becoming the +'serial' port in case the former is present. + +Signed-off-by: Leo Sandoval +--- + grub-core/term/serial.c | 11 ++++++++++- + include/grub/serial.h | 1 + + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/grub-core/term/serial.c b/grub-core/term/serial.c +index 8260dcb7a8..fe85010532 100644 +--- a/grub-core/term/serial.c ++++ b/grub-core/term/serial.c +@@ -213,10 +213,15 @@ grub_serial_find (const char *name) + #if (defined(__i386__) || defined(__x86_64__)) && !defined(GRUB_MACHINE_IEEE1275) && !defined(GRUB_MACHINE_QEMU) + if (grub_strcmp (name, "auto") == 0) + { +- /* Look for an SPCR if any. If not, default to com0. */ ++ /* Look for an SPCR if any. If not, default to efi0 or com0, in that order. */ + port = grub_ns8250_spcr_init (); + if (port != NULL) + return port; ++ ++ FOR_SERIAL_PORTS (port) ++ if (grub_strcmp (port->name, "efi0") == 0) ++ return port; ++ + FOR_SERIAL_PORTS (port) + if (grub_strcmp (port->name, "com0") == 0) + return port; +@@ -350,7 +355,11 @@ grub_cmd_serial (grub_extcmd_context_t ctxt, int argc, char **args) + #if !defined (GRUB_MACHINE_EMU) && !defined(GRUB_MACHINE_ARC) && (defined(__mips__) || defined (__i386__) || defined (__x86_64__)) + + /* Compatibility kludge. */ ++#ifdef GRUB_MACHINE_EFI ++ if (port->driver == &grub_efiserial_driver) ++#else + if (port->driver == &grub_ns8250_driver) ++#endif + { + if (!registered) + { +diff --git a/include/grub/serial.h b/include/grub/serial.h +index d7e0635788..19cecd3161 100644 +--- a/include/grub/serial.h ++++ b/include/grub/serial.h +@@ -216,6 +216,7 @@ extern void grub_pciserial_init (void); + + struct grub_serial_port *grub_serial_find (const char *name); + extern struct grub_serial_driver grub_ns8250_driver; ++extern struct grub_serial_driver grub_efiserial_driver; + void EXPORT_FUNC(grub_serial_unregister_driver) (struct grub_serial_driver *driver); + + #ifndef GRUB_MACHINE_EMU diff --git a/0431-commands-tpm.c-include-PCR-check-enable-disable-func.patch b/0431-commands-tpm.c-include-PCR-check-enable-disable-func.patch new file mode 100644 index 0000000..3c311d9 --- /dev/null +++ b/0431-commands-tpm.c-include-PCR-check-enable-disable-func.patch @@ -0,0 +1,56 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Leo Sandoval +Date: Mon, 23 Feb 2026 16:20:19 -0600 +Subject: [PATCH] commands/tpm.c: include PCR check/enable/disable functions + +Signed-off-by: Leo Sandoval +--- + grub-core/commands/tpm.c | 21 +++++++++++++++++++++ + include/grub/tpm.h | 4 ++++ + 2 files changed, 25 insertions(+) + +diff --git a/grub-core/commands/tpm.c b/grub-core/commands/tpm.c +index 324423ef86..b3ddbe5d3a 100644 +--- a/grub-core/commands/tpm.c ++++ b/grub-core/commands/tpm.c +@@ -29,6 +29,27 @@ + + GRUB_MOD_LICENSE ("GPLv3+"); + ++/* By default, enable all PCR's */ ++static grub_uint32_t pcr_mask = 0xffffffff; ++ ++inline bool ++grub_tpm_pcr_is_enabled (grub_uint8_t pcr) ++{ ++ return pcr_mask & ( 1 << pcr ); ++} ++ ++inline void ++grub_tpm_enable_pcr (grub_uint8_t pcr) ++{ ++ pcr_mask |= ( 1 << pcr ); ++} ++ ++inline void ++grub_tpm_disable_pcr (grub_uint8_t pcr) ++{ ++ pcr_mask &= ~( 1 << pcr ); ++} ++ + static grub_err_t + grub_tpm_verify_init (grub_file_t io, + enum grub_file_type type __attribute__ ((unused)), +diff --git a/include/grub/tpm.h b/include/grub/tpm.h +index d09783dacc..d02f0f3c22 100644 +--- a/include/grub/tpm.h ++++ b/include/grub/tpm.h +@@ -46,4 +46,8 @@ grub_is_tpm_fail_fatal (void) + return grub_env_get_bool ("tpm_fail_fatal", false); + } + ++bool EXPORT_FUNC(grub_tpm_pcr_is_enabled) (grub_uint8_t pcr); ++void EXPORT_FUNC(grub_tpm_enable_pcr) (grub_uint8_t pcr); ++void EXPORT_FUNC(grub_tpm_disable_pcr) (grub_uint8_t pcr); ++ + #endif diff --git a/0432-commands-efi-tpm.c-check-if-PCR-is-enable-before-TPM.patch b/0432-commands-efi-tpm.c-check-if-PCR-is-enable-before-TPM.patch new file mode 100644 index 0000000..741d5f9 --- /dev/null +++ b/0432-commands-efi-tpm.c-check-if-PCR-is-enable-before-TPM.patch @@ -0,0 +1,26 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Leo Sandoval +Date: Mon, 23 Feb 2026 17:28:10 -0600 +Subject: [PATCH] commands/efi/tpm.c: check if PCR is enable before TPM measure + +Signed-off-by: Leo Sandoval +--- + grub-core/commands/efi/tpm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/grub-core/commands/efi/tpm.c b/grub-core/commands/efi/tpm.c +index f250c30dbc..cfddeb8719 100644 +--- a/grub-core/commands/efi/tpm.c ++++ b/grub-core/commands/efi/tpm.c +@@ -273,6 +273,11 @@ grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr, + grub_efi_handle_t tpm_handle; + grub_efi_uint8_t protocol_version; + ++ grub_dprintf ("tpm", "PCR %d %s\n", pcr, grub_tpm_pcr_is_enabled (pcr) ? "enabled" : "disabled"); ++ ++ if (!grub_tpm_pcr_is_enabled (pcr)) ++ return GRUB_ERR_NONE; ++ + grub_cc_log_event(buf, size, pcr, description); + + if (!grub_tpm_handle_find (&tpm_handle, &protocol_version)) diff --git a/0433-tpm.c-disable-PCR8-measurements-at-the-configuration.patch b/0433-tpm.c-disable-PCR8-measurements-at-the-configuration.patch new file mode 100644 index 0000000..74a3438 --- /dev/null +++ b/0433-tpm.c-disable-PCR8-measurements-at-the-configuration.patch @@ -0,0 +1,73 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Leo Sandoval +Date: Tue, 24 Feb 2026 10:43:20 -0600 +Subject: [PATCH] tpm.c: disable PCR8 measurements at the configuration step + +At the configuration step, we can disable PCR8 measurements through +the configure parameter `--with-pcr8-disabled=yes`. + +Signed-off-by: Leo Sandoval +--- + config.h.in | 1 + + configure.ac | 12 ++++++++++++ + grub-core/commands/tpm.c | 5 +++++ + 3 files changed, 18 insertions(+) + +diff --git a/config.h.in b/config.h.in +index 39f4e5472c..54a29a1719 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -17,6 +17,7 @@ + #define DISK_CACHE_STATS @DISK_CACHE_STATS@ + #define BOOT_TIME_STATS @BOOT_TIME_STATS@ + #define DEBUG_WITH_TIMESTAMPS @DEBUG_WITH_TIMESTAMPS@ ++#define DISABLE_PCR8 @DISABLE_PCR8@ + + /* We don't need those. */ + #define MINILZO_CFG_SKIP_LZO_PTR 1 +diff --git a/configure.ac b/configure.ac +index a6a6957fbd..b37914440a 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1699,6 +1699,17 @@ else + fi + AC_SUBST([DEBUG_WITH_TIMESTAMPS]) + ++AC_ARG_WITH([pcr8-disabled], ++ AS_HELP_STRING([--with-pcr8-disabled], ++ [disable PCR8 measurements])) ++ ++if test x$with_pcr8_disabled = xyes; then ++ DISABLE_PCR8=1 ++else ++ DISABLE_PCR8=0 ++fi ++AC_SUBST([DISABLE_PCR8]) ++ + AC_ARG_ENABLE([grub-emu-sdl2], + [AS_HELP_STRING([--enable-grub-emu-sdl2], + [build and install the `grub-emu' debugging utility with SDL2 support (default=guessed)])]) +@@ -2310,6 +2321,7 @@ AM_CONDITIONAL([COND_ENABLE_EFIEMU], [test x$enable_efiemu = xyes]) + AM_CONDITIONAL([COND_ENABLE_CACHE_STATS], [test x$DISK_CACHE_STATS = x1]) + AM_CONDITIONAL([COND_ENABLE_BOOT_TIME_STATS], [test x$BOOT_TIME_STATS = x1]) + AM_CONDITIONAL([COND_DEBUG_WITH_TIMESTAMPS], [test x$DEBUG_WITH_TIMESTAMPS = x1]) ++AM_CONDITIONAL([COND_DISABLE_PCR8], [test x$DISABLE_PCR8 = x1]) + + AM_CONDITIONAL([COND_HAVE_CXX], [test x$HAVE_CXX = xyes]) + +diff --git a/grub-core/commands/tpm.c b/grub-core/commands/tpm.c +index b3ddbe5d3a..6e9480568c 100644 +--- a/grub-core/commands/tpm.c ++++ b/grub-core/commands/tpm.c +@@ -57,6 +57,11 @@ grub_tpm_verify_init (grub_file_t io, + { + *context = io->name; + *flags |= GRUB_VERIFY_FLAGS_SINGLE_CHUNK; ++ ++#if DISABLE_PCR8 ++ grub_tpm_disable_pcr (GRUB_STRING_PCR); ++#endif ++ + return GRUB_ERR_NONE; + } + diff --git a/0434-Add-support-for-efi-keyword.patch b/0434-Add-support-for-efi-keyword.patch new file mode 100644 index 0000000..4e91b39 --- /dev/null +++ b/0434-Add-support-for-efi-keyword.patch @@ -0,0 +1,112 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Marta Lewandowska +Date: Fri, 27 Mar 2026 11:15:27 +0100 +Subject: [PATCH] Add support for the efi keyword + +Add support for UKIs using the efi keyword in BLS snippets. + +Signed-off-by: Marta Lewandowska +--- + grub-core/commands/blscfg.c | 53 +++++++++++++++++++++++++++++++++++---------- + 1 file changed, 42 insertions(+), 11 deletions(-) + +diff --git a/grub-core/commands/blscfg.c b/grub-core/commands/blscfg.c +index 38913d696486..6fc621400a31 100644 +--- a/grub-core/commands/blscfg.c ++++ b/grub-core/commands/blscfg.c +@@ -762,6 +762,7 @@ static void create_entry (struct bls_entry *entry) + + char *title = NULL; + char *clinux = NULL; ++ char *cuki = NULL; + char *options = NULL; + char **initrds = NULL; + char *initrd = NULL; +@@ -785,10 +786,19 @@ static void create_entry (struct bls_entry *entry) + + grub_dprintf("blscfg", "%s got here\n", __func__); + clinux = bls_get_val (entry, "linux", NULL); +- if (!clinux) ++ cuki = bls_get_val (entry, "efi", NULL); ++ if (!clinux && !cuki) + { +- grub_dprintf ("blscfg", "Skipping file %s with no 'linux' key.\n", entry->filename); +- goto finish; ++ if (!clinux) ++ { ++ grub_dprintf ("blscfg", "Skipping file %s with no 'linux' key.\n", entry->filename); ++ goto finish; ++ } ++ if (!cuki) ++ { ++ grub_dprintf ("blscfg", "Skipping file %s with no 'efi' key.\n", entry->filename); ++ goto finish; ++ } + } + + /* +@@ -801,12 +811,6 @@ static void create_entry (struct bls_entry *entry) + if (dotconf) + dotconf[0] = '\0'; + +- title = bls_get_val (entry, "title", NULL); +- options = expand_val (bls_get_val (entry, "options", NULL)); +- +- if (!options) +- options = expand_val (grub_env_get("default_kernelopts")); +- + initrds = bls_make_list (entry, "initrd", NULL); + + devicetree = expand_val (bls_get_val (entry, "devicetree", NULL)); +@@ -825,6 +829,22 @@ static void create_entry (struct bls_entry *entry) + argc += 1; + argv = grub_malloc ((argc + 1) * sizeof (char *)); + argv[0] = title ? title : clinux; ++ ++ title = bls_get_val (entry, "title", NULL); ++ if (clinux) ++ { ++ argv[0] = title ? title : clinux; ++ options = expand_val (bls_get_val (entry, "options", NULL)); ++ if (!options) ++ options = expand_val (grub_env_get("default_kernelopts")); ++ } ++ if (cuki) ++ { ++ argv[0] = title ? title : cuki; ++ options = bls_get_val (entry, ".cmdline", NULL); ++ if (!options) ++ options = expand_val (bls_get_val (entry, "options", NULL)); ++ } + for (i = 1; i < argc; i++) + argv[i] = args[i-1]; + argv[argc] = NULL; +@@ -945,7 +965,9 @@ static void create_entry (struct bls_entry *entry) + + const char *sdval = grub_env_get("save_default"); + bool savedefault = ((NULL != sdval) && (grub_strcmp(sdval, "true") == 0)); +- src = grub_xasprintf ("%sload_video\n" ++ if(clinux) ++ { ++ src = grub_xasprintf ("%sload_video\n" + "set gfxpayload=keep\n" + "insmod gzio\n" + "linux %s%s%s%s\n" +@@ -954,7 +976,16 @@ static void create_entry (struct bls_entry *entry) + separate_boot ? GRUB_BOOT_DEVICE : "", + clinux, options ? " " : "", options ? options : "", + initrd ? initrd : "", dt ? dt : ""); +- ++ } ++ if(cuki) ++ { ++ src = grub_xasprintf ("%schainloader %s%s%s%s\n", ++ savedefault ? "savedefault\n" : "", ++ separate_boot ? GRUB_BOOT_DEVICE : "", ++ cuki, ++ (options != NULL) ? " " : "", ++ (options != NULL) ? options : ""); ++ } + grub_normal_add_menu_entry (argc, argv, classes, id, users, hotkey, NULL, src, 0, &index, entry, NULL); + grub_dprintf ("blscfg", "Added entry %d id:\"%s\"\n", index, id); + diff --git a/grub-cc-prefix-embedded.cfg b/grub-cc-prefix-embedded.cfg new file mode 100644 index 0000000..0f1df38 --- /dev/null +++ b/grub-cc-prefix-embedded.cfg @@ -0,0 +1,2 @@ +set prefix='(memdisk)/grub2' +configfile $prefix/grub.cfg diff --git a/grub-cc.cfg b/grub-cc.cfg new file mode 100644 index 0000000..3701e86 --- /dev/null +++ b/grub-cc.cfg @@ -0,0 +1,2 @@ +set timeout=5 +blscfg diff --git a/grub-cc.macros b/grub-cc.macros new file mode 100644 index 0000000..a8b18d8 --- /dev/null +++ b/grub-cc.macros @@ -0,0 +1,129 @@ +%global evr_cc %{epoch}:%{version}-%{release} +%global libdir_cc %{_exec_prefix}/lib +%global os_id_cc %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/')) +%global grub_evr_dir_cc %{libdir_cc}/efi/grub2/%{evr_cc} +%global grub_efi_cc_dir %{grub_evr_dir_cc}/EFI/%{os_id_cc}/cc + +%global grubeficcname grub%{efiarch}-cc.efi +%global grubeficccdname gcd%{efiarch}-cc.efi + +%global grub_cc_modules " all_video boot blscfg blsuki \\\ + cat configfile cryptodisk \\\ + echo fat font \\\ + gcry_rijndael gcry_rsa gcry_serpent \\\ + gcry_sha256 gcry_twofish gcry_whirlpool \\\ + gfxmenu gfxterm gzio \\\ + halt increment \\\ + loadenv loopback linux lvm luks \\\ + luks2 \\\ + memdisk \\\ + minicmd \\\ + normal part_msdos part_gpt \\\ + password_pbkdf2 pgp reboot regexp \\\ + search search_fs_uuid search_fs_file \\\ + search_label serial sleep \\\ + syslinuxcfg \\\ + test version video zstd " \ + +%global efi_cc_modules " efi_netfs efifwsetup efinet lsefi lsefimmap connectefi bli " + +%global cc_modules " backtrace chain tpm " + + +%define define_efi_cc_variant(o) \ +%{expand:%%package %{1}-cc} \ +Summary: GRUB for EFI systems. \ +Requires: efi-filesystem \ +Requires: grub2-common = %{evr} \ +Requires: grub2-tools-minimal >= %{evr} \ +Requires: grub2-tools = %{evr} \ +Provides: grub2-efi-cc= %{evr} \ +%{?legacy_provides:Provides: grub2 = %{evr}} \ +%{-o:Obsoletes: grub2-efi < %{evr}} \ + \ +%{expand:%%description %{1}-cc} \ +%{desc} \ +This subpackage provides support for Confidential Computing %{1} systems. \ + \ +%{expand:%%{?!buildsubdir:%%define buildsubdir grub-%{1}-%{tarversion}-cc}}\ + +%define do_primary_efi_cc_build() \ +cd grub-%{1}-%{tarversion}-cc \ +%{expand:%%do_efi_cc_configure %%{4} %%{5} %%{6}} \ +%do_efi_build_all \ +%{expand:%%do_efi_cc_build_images %{grub_target_name} %{2} %{3} ./ %%{7} %%{8} %%{9}} \ +cd .. \ +%{nil} + +%define do_efi_cc_configure() \ +%configure \\\ + %{cc_equals} \\\ + HOST_CFLAGS="%{3}" \\\ + HOST_CPPFLAGS="-I$(pwd)" \\\ + HOST_LDFLAGS="%{efi_host_ldflags}" \\\ + TARGET_CFLAGS="%{2}" \\\ + TARGET_CPPFLAGS="-I$(pwd)" \\\ + TARGET_LDFLAGS="%{efi_target_ldflags}" \\\ + --with-rpm-version=%{version}-%{release} \\\ + --with-platform=efi \\\ + --with-utils=host \\\ + --with-pcr8-disabled=yes \\\ + --target=%{1} \\\ + --with-grubdir=grub2 \\\ + --program-transform-name=s,grub,grub2, \\\ + --disable-werror || ( cat config.log ; exit 1 ) \ +git add . \ +git commit -m "After efi confidential computing configure" \ +%{nil} + +%define do_efi_cc_build_images() \ +GRUB_MODULES+=%{grub_cc_modules} \ +GRUB_MODULES+=%{efi_cc_modules} \ +GRUB_MODULES+=%{cc_modules} \ +%{expand:%%{efi_cc_mkimage %%{1} %%{2} %%{3} %%{4} %%{5} %%{6} %%{7}}} \ +%{nil} + +%define efi_cc_mkimage() \ +mkdir -p memdisk/fonts memdisk/grub2 \ +cp %{4}/unicode.pf2 memdisk/fonts \ +cp %{SOURCE16} memdisk/grub2/grub.cfg \ +mksquashfs memdisk memdisk.squashfs -comp lzo \ +%{4}./grub-mkimage -O %{1} -o %{2}.orig \\\ + -d grub-core \\\ + --sbat %{4}./sbat.csv \\\ + -m memdisk.squashfs \\\ + -c '%{SOURCE17}' \\\ + -p /EFI/%{efi_vendor} \\\ + ${GRUB_MODULES} \ +%{4}./grub-mkimage -O %{1} -o %{3}.orig \\\ + -d grub-core \\\ + --sbat %{4}./sbat.csv \\\ + -c '%{SOURCE17}' \\\ + -m memdisk.squashfs \\\ + -p /EFI/BOOT \\\ + ${GRUB_MODULES} \ +%{expand:%%define ___pesign_client_cert %{?___pesign_client_cert}%{!?___pesign_client_cert:%{__pesign_client_cert}}} \ +%{?__pesign_client_cert:%{expand:%%define __pesign_client_cert %{___pesign_client_cert}}} \ +%{expand:%%{pesign -s -i %%{2}.orig -o %%{2} -a %%{5} -c %%{6} -n %%{7}}} \ +%{expand:%%{pesign -s -i %%{3}.orig -o %%{3} -a %%{5} -c %%{6} -n %%{7}}} \ +%{nil} +%{nil} + +%define do_efi_cc_install() \ +cd grub-%{1}-%{tarversion}-cc \ +install -d -m 0700 ${RPM_BUILD_ROOT}%{grub_efi_cc_dir}/ \ +install -m 700 %{2} $RPM_BUILD_ROOT%{grub_efi_cc_dir}/%{2} \ +%{expand:%%do_install_protected_file grub2-%{package_arch}-cc} \ +cd .. \ +%{nil} + +%define define_efi_cc_variant_files() \ +%{expand:%%files %{1}-cc} \ +%defattr(-,root,root,-) \ +%dir %attr(0700,root,root) %{grub_efi_cc_dir} \ +%attr(0700,root,root) %{grub_efi_cc_dir}/%{2} \ +%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/grub2-%{1}-cc.conf \ +%{expand:%if 0%{?without_efi_modules} \ +%exclude %{_libdir}/grub/%{6} \ +%exclude %{_libdir}/grub/%{6}/* \ +%endif} \ diff --git a/grub.patches b/grub.patches index 2fc0816..86fbd09 100644 --- a/grub.patches +++ b/grub.patches @@ -426,3 +426,8 @@ Patch0426: 0426-commands-search.c-check-possible-NULL-pointer-before.patch Patch0427: 0427-util-grub-mkimagexx-Stop-generating-unaligned-append.patch Patch0428: 0428-grub-mkimage-Do-not-generate-empty-SBAT-metadata.patch Patch0429: 0429-kern-efi-mm-Change-grub_efi_mm_add_regions-to-keep-t.patch +Patch0430: 0430-term-serial.c-default-efi0-as-serial-port-if-present.patch +Patch0431: 0431-commands-tpm.c-include-PCR-check-enable-disable-func.patch +Patch0432: 0432-commands-efi-tpm.c-check-if-PCR-is-enable-before-TPM.patch +Patch0433: 0433-tpm.c-disable-PCR8-measurements-at-the-configuration.patch +Patch0434: 0434-Add-support-for-efi-keyword.patch diff --git a/grub2.spec b/grub2.spec index f8cfa57..3549ef0 100644 --- a/grub2.spec +++ b/grub2.spec @@ -17,7 +17,7 @@ Name: grub2 Epoch: 1 Version: 2.12 -Release: 45%{?dist} +Release: 46%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPL-3.0-or-later URL: http://www.gnu.org/software/grub/ @@ -37,8 +37,12 @@ Source11: grub.patches Source12: sbat.csv.in Source13: gen_grub_cfgstub Source14: sbat.ppc.csv +Source15: grub-cc.macros +Source16: grub-cc.cfg +Source17: grub-cc-prefix-embedded.cfg %include %{SOURCE1} +%include %{SOURCE15} %ifarch x86_64 aarch64 %define sb_ca %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer @@ -178,6 +182,7 @@ This subpackage provides tools for support of all platforms. %if 0%{with_efi_arch} %{expand:%define_efi_variant %%{package_arch} -o} +%{expand:%define_efi_cc_variant %%{package_arch} -o} %endif %if 0%{with_alt_efi_arch} %{expand:%define_efi_variant %%{alt_package_arch}} @@ -213,6 +218,12 @@ cp %{SOURCE4} grub-%{grubefiarch}-%{tarversion}/unifont.pcf.gz sed -e "s,@@VERSION@@,%{version},g" -e "s,@@VERSION_RELEASE@@,%{version}-%{release},g" \ %{SOURCE12} > grub-%{grubefiarch}-%{tarversion}/sbat.csv git add grub-%{grubefiarch}-%{tarversion} +mkdir grub-%{grubefiarch}-%{tarversion}-cc +grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grubefiarch}-%{tarversion}-cc/.gitignore +cp %{SOURCE4} grub-%{grubefiarch}-%{tarversion}-cc/unifont.pcf.gz +sed -e "s,@@VERSION@@,%{version},g" -e "s,@@VERSION_RELEASE@@,%{version}-%{release},g" \ + %{SOURCE12} > grub-%{grubefiarch}-%{tarversion}-cc/sbat.csv +git add grub-%{grubefiarch}-%{tarversion}-cc %endif %if 0%{with_alt_efi_arch} mkdir grub-%{grubaltefiarch}-%{tarversion} @@ -237,6 +248,7 @@ git commit -m "After making subdirs" %build %if 0%{with_efi_arch} %{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{sb_ca} %{sb_cer} %{sb_key}} +%{expand:%do_primary_efi_cc_build %%{grubefiarch} %%{grubeficcname} %%{grubeficccdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{sb_ca} %{sb_cer} %{sb_key}} %endif %if 0%{with_alt_efi_arch} %{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{sb_ca} %{sb_cer} %{sb_key}} @@ -266,6 +278,7 @@ rm -fr $RPM_BUILD_ROOT %do_common_install %if 0%{with_efi_arch} %{expand:%do_efi_install %%{grubefiarch} %%{grubefiname} %%{grubeficdname}} +%{expand:%do_efi_cc_install %%{grubefiarch} %%{grubeficcname} %%{grubeficccdname}} %endif %if 0%{with_alt_efi_arch} %{expand:%do_alt_efi_install %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname}} @@ -560,6 +573,7 @@ fi %if 0%{with_efi_arch} %{expand:%define_efi_variant_files %%{package_arch} %%{grubefiname} %%{grubeficdname} %%{grubefiarch} %%{target_cpu_name} %%{grub_target_name}} +%{expand:%define_efi_cc_variant_files %%{package_arch} %%{grubeficcname} %%{grubeficccdname} %%{grubefiarch} %%{target_cpu_name} %%{grub_target_name}} %endif %if 0%{with_alt_efi_arch} %{expand:%define_efi_variant_files %%{alt_package_arch} %%{grubaltefiname} %%{grubalteficdname} %%{grubaltefiarch} %%{alt_target_cpu_name} %%{alt_grub_target_name}} @@ -579,7 +593,11 @@ fi %endif %changelog -* Tue Feb 10 2026 Marta Lewandowska - 2.12-45 +* Fri Mar 27 2026 Leo Sandoval - 2.12-46 +- New package grub2-efi-x64-cc for confidential computing workloads +- Resolves: #RHEL-127909 + +* Tue Mar 10 2026 Marta Lewandowska - 2.12-45 - Try to get gating tests running via fmf/tmt - Resolves: #RHEL-147757