diff --git a/SOURCES/0465-10_linux.in-escape-kernel-option-characters-properly.patch b/SOURCES/0465-10_linux.in-escape-kernel-option-characters-properly.patch new file mode 100644 index 0000000..1937cb9 --- /dev/null +++ b/SOURCES/0465-10_linux.in-escape-kernel-option-characters-properly.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Leo Sandoval +Date: Wed, 7 May 2025 13:23:37 -0600 +Subject: [PATCH] 10_linux.in: escape kernel option characters properly + +This handles cases where kernel options, specifically the values, +contain special characters, in this case ';', '&' and '$'. + +For example, the user defines the following GRUB_CMDLINE_LINUX on the +default grub file /etc/default/grub, note the dolar sign on the 'memmap' +option + + GRUB_CMDLINE_LINUX="console=ttyS0 memmap=32g\\\$0x2000000000" + +then regenerating the grub cfg and BLS options line with the +grub2-mkconfig command, resulting into + + options root=UUID=6baedf23-2510-499a-815d-48b58cf6e619 ro + rootflags=subvol=root console=ttyS0 memmap=32g\$0x2000000000 + +without this patch, we would end up with + + options root=UUID=6baedf23-2510-499a-815d-48b58cf6e619 ro + rootflags=subvol=root console=ttyS0 memmap=32g$0x2000000000 + +Note the missing '\' which is required to escape the '$', otherwise +it would be consider a variable by blscfg parser which is not the case. + +Signed-off-by: Leo Sandoval +--- + util/grub.d/10_linux.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in +index fafdfbc4d3..4276d5e240 100755 +--- a/util/grub.d/10_linux.in ++++ b/util/grub.d/10_linux.in +@@ -180,6 +180,7 @@ update_bls_cmdline() + options="$(echo "${options}" | sed -e 's/\//\\\//g')" + options="$(echo "${options}" | sed -e 's/\;/\\\;/g')" + options="$(echo "${options}" | sed -e 's/\\&/\\\\&/g')" ++ options="$(echo "${options}" | sed -e 's/\$/\\\$/g')" + sed -i -e "s/^options.*/options ${options}/" "${blsdir}/${bls}.conf" + done + } diff --git a/SOURCES/0466-blscfg-check-if-variable-is-escaped-before-consideri.patch b/SOURCES/0466-blscfg-check-if-variable-is-escaped-before-consideri.patch new file mode 100644 index 0000000..fba6906 --- /dev/null +++ b/SOURCES/0466-blscfg-check-if-variable-is-escaped-before-consideri.patch @@ -0,0 +1,26 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Leo Sandoval +Date: Wed, 7 May 2025 13:49:47 -0600 +Subject: [PATCH] blscfg: check if variable is escaped before considering one + +Otherwise escaped variables are considered real variables. + +Signed-off-by: Leo Sandoval +--- + grub-core/commands/blscfg.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/grub-core/commands/blscfg.c b/grub-core/commands/blscfg.c +index 6e398fc175..5d931b0c9b 100644 +--- a/grub-core/commands/blscfg.c ++++ b/grub-core/commands/blscfg.c +@@ -695,7 +695,8 @@ static char *expand_val(const char *value) + return NULL; + + while (*value) { +- if (*value == '$') { ++ /* It's a variable only when *value is '$' and it is not escaped with '\'*/ ++ if (*value == '$' && *end != '\\') { + if (start != end) { + buffer = field_append(is_var, buffer, start, end); + if (!buffer) diff --git a/SOURCES/20-grub.install b/SOURCES/20-grub.install index a3f1b18..67d6895 100755 --- a/SOURCES/20-grub.install +++ b/SOURCES/20-grub.install @@ -6,6 +6,7 @@ fi [[ -f /etc/default/grub ]] && . /etc/default/grub [[ -f /etc/os-release ]] && . /etc/os-release +[[ -f /etc/sysconfig/kernel ]] && . /etc/sysconfig/kernel COMMAND="$1" KERNEL_VERSION="$2" @@ -41,8 +42,14 @@ mkbls() { fi fi + if [[ $kernelver =~ uek ]]; then + local ver_stanza="$kernelver with Unbreakable Enterprise Kernel" + else + local ver_stanza="$kernelver" + fi + cat < +Date: Tue, 18 Dec 2018 13:22:12 -0800 +Subject: [PATCH 1/1] Use different menuentries for UEK kernel + +--- + util/grub.d/10_linux.in | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in +index b54d277..fe8b20f 100644 +--- a/util/grub.d/10_linux.in ++++ b/util/grub.d/10_linux.in +@@ -173,7 +173,12 @@ EOF + fi + + if [ x$type != xsimple ] ; then +- title=$(mktitle "$type" "$version") ++ if echo "$version" | grep -q uek; then ++ kernel_type_text="with Unbreakable Enterprise Kernel" ++ else ++ kernel_type_text="with Linux" ++ fi ++ title=$(mktitle "$type" "$version $kernel_type_text") + if [ x"$title" = x"$GRUB_ACTUAL_DEFAULT" ] || [ x"Previous Linux versions>$title" = x"$GRUB_ACTUAL_DEFAULT" ]; then + replacement_title="$(echo "Advanced options for ${OS}" | sed 's,>,>>,g')>$(echo "$title" | sed 's,>,>>,g')" + quoted="$(echo "$GRUB_ACTUAL_DEFAULT" | grub_quote)" +-- +1.8.3.1 + diff --git a/SOURCES/bug26388226-update-redhat-references.patch b/SOURCES/bug26388226-update-redhat-references.patch new file mode 100644 index 0000000..8e90b0b --- /dev/null +++ b/SOURCES/bug26388226-update-redhat-references.patch @@ -0,0 +1,25 @@ +From aba9976ce324fdf845b04b326f7426566a676335 Mon Sep 17 00:00:00 2001 +From: "livy.ge" +Date: Wed, 5 Jul 2017 03:53:48 -0700 +Subject: [PATCH] update bug url + +--- + util/grub-set-password.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/util/grub-set-password.in b/util/grub-set-password.in +index 6553eaa..03731d5 100644 +--- a/util/grub-set-password.in ++++ b/util/grub-set-password.in +@@ -21,7 +21,7 @@ located by default at ${grubdir}. + -v, --version print the version information and exit + -o, --output_path put user.cfg in a user-selected directory + +-Report bugs at https://bugzilla.redhat.com. ++Report bugs at https://github.com/oracle/oracle-linux . + EOF + } + +-- +2.43.5 + diff --git a/SOURCES/bug37539625-0001-net-dns-Fix-removal-of-DNS-server.patch b/SOURCES/bug37539625-0001-net-dns-Fix-removal-of-DNS-server.patch new file mode 100644 index 0000000..07577e9 --- /dev/null +++ b/SOURCES/bug37539625-0001-net-dns-Fix-removal-of-DNS-server.patch @@ -0,0 +1,47 @@ +From 88d7b6dcb0b3a08776377f9150bb555c6677b7d4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= +Date: Fri, 28 Apr 2023 13:05:37 +0200 +Subject: [PATCH] net/dns: Fix removal of DNS server +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When deleting the DNS server, we get the following error message: +-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- +grub> net_del_dns 192.168.122.1 +error: ../../grub-core/net/dns.c:646:no DNS reply received. +-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- + +This happens because the implementation is broken, it does a "add" +internally instead of a "delete". + +Signed-off-by: Renaud Métrich +Reviewed-by: Daniel Kiper +--- + grub-core/net/dns.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c +index 17961a9..e9edf5d 100644 +--- a/grub-core/net/dns.c ++++ b/grub-core/net/dns.c +@@ -765,11 +765,14 @@ grub_cmd_del_dns (struct grub_command *cmd __attribute__ ((unused)), + + if (argc != 1) + return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected")); +- err = grub_net_resolve_address (args[1], &server); ++ ++ err = grub_net_resolve_address (args[0], &server); + if (err) + return err; + +- return grub_net_add_dns_server (&server); ++ grub_net_remove_dns_server (&server); ++ ++ return GRUB_ERR_NONE; + } + + static grub_command_t cmd, cmd_add, cmd_del, cmd_list; +-- +2.43.5 + diff --git a/SOURCES/bug37539625-0002-net-dns-Simplify-error-handling-of-recv_hook-functio.patch b/SOURCES/bug37539625-0002-net-dns-Simplify-error-handling-of-recv_hook-functio.patch new file mode 100644 index 0000000..2bb05ee --- /dev/null +++ b/SOURCES/bug37539625-0002-net-dns-Simplify-error-handling-of-recv_hook-functio.patch @@ -0,0 +1,143 @@ +From 47a171178809d67996a5dc470622ab6d3760cfa6 Mon Sep 17 00:00:00 2001 +From: Fedora Ninjas +Date: Tue, 28 Jan 2025 15:27:16 +0000 +Subject: [PATCH 1/3] net/dns: Simplify error handling of recv_hook() function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Renaud Métrich +Reviewed-by: Daniel Kiper + +Orabug: 37539625 +Modified-by: Alex Burmashev +Signed-off-by: Alex Burmashev +--- + grub-core/net/dns.c | 51 +++++++++++++++------------------------------ + 1 file changed, 17 insertions(+), 34 deletions(-) + +diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c +index e9edf5d..8ba4e54 100644 +--- a/grub-core/net/dns.c ++++ b/grub-core/net/dns.c +@@ -262,42 +262,27 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + We may get multiple responses due to network condition, so check here + and quit early. */ + if (*data->addresses) +- { +- grub_netbuff_free (nb); +- return GRUB_ERR_NONE; +- } ++ goto out; + + head = (struct dns_header *) nb->data; + ptr = (grub_uint8_t *) (head + 1); + if (ptr >= nb->tail) +- { +- grub_netbuff_free (nb); +- return GRUB_ERR_NONE; +- } +- ++ goto out; ++ + if (head->id != data->id) +- { +- grub_netbuff_free (nb); +- return GRUB_ERR_NONE; +- } ++ goto out; + if (!(head->flags & FLAGS_RESPONSE) || (head->flags & FLAGS_OPCODE)) +- { +- grub_netbuff_free (nb); +- return GRUB_ERR_NONE; +- } ++ goto out; + if (head->ra_z_r_code & ERRCODE_MASK) + { + data->dns_err = 1; +- grub_netbuff_free (nb); +- return GRUB_ERR_NONE; ++ goto out; + } ++ + for (i = 0; i < grub_be_to_cpu16 (head->qdcount); i++) + { + if (ptr >= nb->tail) +- { +- grub_netbuff_free (nb); +- return GRUB_ERR_NONE; +- } ++ goto out; + while (ptr < nb->tail && !((*ptr & 0xc0) || *ptr == 0)) + ptr += *ptr + 1; + if (ptr < nb->tail && (*ptr & 0xc0)) +@@ -310,8 +295,7 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + if (!*data->addresses) + { + grub_errno = GRUB_ERR_NONE; +- grub_netbuff_free (nb); +- return GRUB_ERR_NONE; ++ goto out; + } + reparse_ptr = ptr; + reparse: +@@ -325,7 +309,7 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + { + if (!*data->naddresses) + grub_free (*data->addresses); +- return GRUB_ERR_NONE; ++ goto out; + } + ignored = !check_name (ptr, nb->data, nb->tail, data->name); + while (ptr < nb->tail && !((*ptr & 0xc0) || *ptr == 0)) +@@ -337,8 +321,7 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + { + if (!*data->naddresses) + grub_free (*data->addresses); +- grub_netbuff_free (nb); +- return GRUB_ERR_NONE; ++ goto out; + } + if (*ptr++ != 0) + ignored = 1; +@@ -358,8 +341,7 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + { + if (!*data->naddresses) + grub_free (*data->addresses); +- grub_netbuff_free (nb); +- return GRUB_ERR_NONE; ++ goto out; + } + if (!ignored) + { +@@ -400,15 +382,14 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + if (!data->name) + { + data->dns_err = 1; +- grub_errno = 0; +- return GRUB_ERR_NONE; ++ grub_errno = GRUB_ERR_NONE; ++ goto out; + } + grub_dprintf ("dns", "CNAME %s\n", data->name); + if (grub_strcmp (redirect_save, data->name) == 0) + { + data->dns_err = 1; +- grub_free (redirect_save); +- return GRUB_ERR_NONE; ++ goto out; + } + goto reparse; + } +@@ -440,6 +421,8 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + *data->naddresses + * sizeof (dns_cache[h].addresses[0])); + } ++ ++ out: + grub_netbuff_free (nb); + grub_free (redirect_save); + return GRUB_ERR_NONE; +-- +2.43.5 + diff --git a/SOURCES/bug37539625-0003-net-dns-Add-debugging-messages-in-recv_hook-function.patch b/SOURCES/bug37539625-0003-net-dns-Add-debugging-messages-in-recv_hook-function.patch new file mode 100644 index 0000000..0b69ea4 --- /dev/null +++ b/SOURCES/bug37539625-0003-net-dns-Add-debugging-messages-in-recv_hook-function.patch @@ -0,0 +1,39 @@ +From fef2ea032f8c552f4723e617f1abea4e27f5b02a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= +Date: Wed, 3 May 2023 12:21:30 +0200 +Subject: [PATCH 2/3] net/dns: Add debugging messages in recv_hook() function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Renaud Métrich +Reviewed-by: Daniel Kiper +--- + grub-core/net/dns.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c +index 8ba4e54..6bb237d 100644 +--- a/grub-core/net/dns.c ++++ b/grub-core/net/dns.c +@@ -356,6 +356,7 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + = GRUB_NET_NETWORK_LEVEL_PROTOCOL_IPV4; + grub_memcpy (&(*data->addresses)[*data->naddresses].ipv4, + ptr, 4); ++ grub_dprintf ("dns", "got A 0x%x\n", (*data->addresses)[*data->naddresses].ipv4); + (*data->naddresses)++; + data->stop = 1; + break; +@@ -366,6 +367,9 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + = GRUB_NET_NETWORK_LEVEL_PROTOCOL_IPV6; + grub_memcpy (&(*data->addresses)[*data->naddresses].ipv6, + ptr, 16); ++ grub_dprintf ("dns", "got AAAA 0x%" PRIxGRUB_UINT64_T "%" PRIxGRUB_UINT64_T "\n", ++ (*data->addresses)[*data->naddresses].ipv6[0], ++ (*data->addresses)[*data->naddresses].ipv6[1]); + (*data->naddresses)++; + data->stop = 1; + break; +-- +2.43.5 + diff --git a/SOURCES/bug37539625-0004-net-dns-Fix-lookup-error-when-no-IPv6-is-returned.patch b/SOURCES/bug37539625-0004-net-dns-Fix-lookup-error-when-no-IPv6-is-returned.patch new file mode 100644 index 0000000..6920e4e --- /dev/null +++ b/SOURCES/bug37539625-0004-net-dns-Fix-lookup-error-when-no-IPv6-is-returned.patch @@ -0,0 +1,100 @@ +From 0f996f5ac661098fc12b8458de0f8fd3f038ddea Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= +Date: Wed, 3 May 2023 12:21:31 +0200 +Subject: [PATCH 3/3] net/dns: Fix lookup error when no IPv6 is returned +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When trying to resolve DNS names into IP addresses, the DNS code fails +from time to time with the following error: +-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- +error: ../../grub-core/net/dns.c:688:no DNS record found. +-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- + +This happens when both IPv4 and IPv6 queries are performed against the +DNS server (e.g. 8.8.8.8) but there is no IP returned for IPv6 query, as +shown below: +-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- +grub> net_del_dns 192.168.122.1 +grub> net_add_dns 8.8.8.8 +grub> net_nslookup ipv4.test-ipv6.com +error: ../../grub-core/net/dns.c:688:no DNS record found. +grub> net_nslookup ipv4.test-ipv6.com +216.218.228.115 +-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- + +The root cause is the code exiting prematurely when the data->addresses +buffer has been allocated in recv_hook(), even if there was no address +returned last time recv_hook() executed. + +Signed-off-by: Renaud Métrich +Reviewed-by: Daniel Kiper +--- + grub-core/net/dns.c | 22 ++++++---------------- + 1 file changed, 6 insertions(+), 16 deletions(-) + +diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c +index 6bb237d..01f3804 100644 +--- a/grub-core/net/dns.c ++++ b/grub-core/net/dns.c +@@ -261,7 +261,7 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + /* Code apparently assumed that only one packet is received as response. + We may get multiple responses due to network condition, so check here + and quit early. */ +- if (*data->addresses) ++ if (*data->naddresses) + goto out; + + head = (struct dns_header *) nb->data; +@@ -306,11 +306,7 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + grub_uint32_t ttl = 0; + grub_uint16_t length; + if (ptr >= nb->tail) +- { +- if (!*data->naddresses) +- grub_free (*data->addresses); +- goto out; +- } ++ goto out; + ignored = !check_name (ptr, nb->data, nb->tail, data->name); + while (ptr < nb->tail && !((*ptr & 0xc0) || *ptr == 0)) + ptr += *ptr + 1; +@@ -318,11 +314,7 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + ptr++; + ptr++; + if (ptr + 10 >= nb->tail) +- { +- if (!*data->naddresses) +- grub_free (*data->addresses); +- goto out; +- } ++ goto out; + if (*ptr++ != 0) + ignored = 1; + class = *ptr++; +@@ -338,11 +330,7 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + length = *ptr++ << 8; + length |= *ptr++; + if (ptr + length > nb->tail) +- { +- if (!*data->naddresses) +- grub_free (*data->addresses); +- goto out; +- } ++ goto out; + if (!ignored) + { + if (ttl_all > ttl) +@@ -429,6 +417,8 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + out: + grub_netbuff_free (nb); + grub_free (redirect_save); ++ if (!*data->naddresses) ++ grub_free (*data->addresses); + return GRUB_ERR_NONE; + } + +-- +2.43.5 + diff --git a/SOURCES/bug37747175-0001-efinet-Close-and-reopen-card-on-failure.patch b/SOURCES/bug37747175-0001-efinet-Close-and-reopen-card-on-failure.patch new file mode 100644 index 0000000..4a2d706 --- /dev/null +++ b/SOURCES/bug37747175-0001-efinet-Close-and-reopen-card-on-failure.patch @@ -0,0 +1,185 @@ +From 9f0274170a9aa123f12b995fbe613051439c8a03 Mon Sep 17 00:00:00 2001 +From: Fedora Ninjas +Date: Tue, 25 Mar 2025 17:31:59 +0000 +Subject: [PATCH 1/2] efinet: Close and reopen card on failure + +There are some known bugs with network adapter firmware implementations, +that may lead to intermittent problem of network adapter link being down, despite network +being set up. +Ultimate fix of this issue should be done on firmware side, but as for now we try to close +and reopen network adapter and retransmit packet in case we see failures. + +Without this fix certain amount of PXE boots fails with inability to transmit packet, with this fix, +such failures are not seen. + +Orabug: 35126950 +Orabug: 37747175 +Signed-off-by: Alex Burmashev +--- + grub-core/net/drivers/efi/efinet.c | 143 +++++++++++++++++------------ + 1 file changed, 82 insertions(+), 61 deletions(-) + +diff --git a/grub-core/net/drivers/efi/efinet.c b/grub-core/net/drivers/efi/efinet.c +index 1a24f38..a8a1bfa 100644 +--- a/grub-core/net/drivers/efi/efinet.c ++++ b/grub-core/net/drivers/efi/efinet.c +@@ -37,67 +37,6 @@ static grub_efi_guid_t pxe_io_guid = GRUB_EFI_PXE_GUID; + static grub_efi_guid_t ip4_config_guid = GRUB_EFI_IP4_CONFIG2_PROTOCOL_GUID; + static grub_efi_guid_t ip6_config_guid = GRUB_EFI_IP6_CONFIG_PROTOCOL_GUID; + +-static grub_err_t +-send_card_buffer (struct grub_net_card *dev, +- struct grub_net_buff *pack) +-{ +- grub_efi_status_t st; +- grub_efi_simple_network_t *net = dev->efi_net; +- grub_uint64_t limit_time = grub_get_time_ms () + 4000; +- void *txbuf; +- +- if (dev->txbusy) +- while (1) +- { +- txbuf = NULL; +- st = efi_call_3 (net->get_status, net, 0, &txbuf); +- if (st != GRUB_EFI_SUCCESS) +- return grub_error (GRUB_ERR_IO, +- N_("couldn't send network packet")); +- /* +- Some buggy firmware could return an arbitrary address instead of the +- txbuf address we trasmitted, so just check that txbuf is non NULL +- for success. This is ok because we open the SNP protocol in +- exclusive mode so we know we're the only ones transmitting on this +- box and since we only transmit one packet at a time we know our +- transmit was successfull. +- */ +- if (txbuf) +- { +- dev->txbusy = 0; +- break; +- } +- if (limit_time < grub_get_time_ms ()) +- return grub_error (GRUB_ERR_TIMEOUT, +- N_("couldn't send network packet")); +- } +- +- dev->last_pkt_size = (pack->tail - pack->data); +- if (dev->last_pkt_size > dev->mtu) +- dev->last_pkt_size = dev->mtu; +- +- grub_memcpy (dev->txbuf, pack->data, dev->last_pkt_size); +- +- st = efi_call_7 (net->transmit, net, 0, dev->last_pkt_size, +- dev->txbuf, NULL, NULL, NULL); +- if (st != GRUB_EFI_SUCCESS) +- return grub_error (GRUB_ERR_IO, N_("couldn't send network packet")); +- +- /* +- The card may have sent out the packet immediately - set txbusy +- to 0 in this case. +- Cases were observed where checking txbuf at the next call +- of send_card_buffer() is too late: 0 is returned in txbuf and +- we run in the GRUB_ERR_TIMEOUT case above. +- Perhaps a timeout in the FW has discarded the recycle buffer. +- */ +- txbuf = NULL; +- st = efi_call_3 (net->get_status, net, 0, &txbuf); +- dev->txbusy = !(st == GRUB_EFI_SUCCESS && txbuf); +- +- return GRUB_ERR_NONE; +-} +- + static struct grub_net_buff * + get_card_packet (struct grub_net_card *dev) + { +@@ -219,6 +158,88 @@ close_card (struct grub_net_card *dev) + grub_efi_image_handle, dev->efi_handle); + } + ++static grub_err_t ++send_card_buffer (struct grub_net_card *dev, ++ struct grub_net_buff *pack) ++{ ++ grub_efi_status_t st; ++ grub_efi_simple_network_t *net = dev->efi_net; ++ grub_uint64_t limit_time = grub_get_time_ms () + 4000; ++ void *txbuf; ++ grub_err_t ret; ++ int retry = 0; ++ ++ if (dev->txbusy) ++ while (1) ++ { ++ txbuf = NULL; ++ st = efi_call_3 (net->get_status, net, 0, &txbuf); ++ if (st != GRUB_EFI_SUCCESS) ++ return grub_error (GRUB_ERR_IO, ++ N_("couldn't send network packet")); ++ /* ++ Some buggy firmware could return an arbitrary address instead of the ++ txbuf address we trasmitted, so just check that txbuf is non NULL ++ for success. This is ok because we open the SNP protocol in ++ exclusive mode so we know we're the only ones transmitting on this ++ box and since we only transmit one packet at a time we know our ++ transmit was successfull. ++ */ ++ if (txbuf) ++ { ++ dev->txbusy = 0; ++ break; ++ } ++ if (limit_time < grub_get_time_ms ()) ++ { ++ if (!retry) ++ { ++ close_card (dev); ++ grub_millisleep (100); ++ ret = open_card (dev); ++ if (ret != GRUB_ERR_NONE) ++ return grub_error (GRUB_ERR_IO, ++ N_("couldn't open card")); ++ st = efi_call_7 (net->transmit, net, 0, dev->last_pkt_size, ++ dev->txbuf, NULL, NULL, NULL); ++ if (st != GRUB_EFI_SUCCESS) ++ return grub_error (GRUB_ERR_IO, ++ N_("couldn't send network packet")); ++ retry = 1; ++ grub_uint64_t limit_time = grub_get_time_ms () + 10000; ++ break; ++ } ++ return grub_error (GRUB_ERR_TIMEOUT, ++ N_("couldn't send network packet")); ++ } ++ } ++ ++ dev->last_pkt_size = (pack->tail - pack->data); ++ if (dev->last_pkt_size > dev->mtu) ++ dev->last_pkt_size = dev->mtu; ++ ++ grub_memcpy (dev->txbuf, pack->data, dev->last_pkt_size); ++ ++ st = efi_call_7 (net->transmit, net, 0, dev->last_pkt_size, ++ dev->txbuf, NULL, NULL, NULL); ++ if (st != GRUB_EFI_SUCCESS) ++ return grub_error (GRUB_ERR_IO, N_("couldn't send network packet")); ++ ++ /* ++ The card may have sent out the packet immediately - set txbusy ++ to 0 in this case. ++ Cases were observed where checking txbuf at the next call ++ of send_card_buffer() is too late: 0 is returned in txbuf and ++ we run in the GRUB_ERR_TIMEOUT case above. ++ Perhaps a timeout in the FW has discarded the recycle buffer. ++ */ ++ txbuf = NULL; ++ st = efi_call_3 (net->get_status, net, 0, &txbuf); ++ dev->txbusy = !(st == GRUB_EFI_SUCCESS && txbuf); ++ ++ return GRUB_ERR_NONE; ++} ++ + static struct grub_net_card_driver efidriver = + { + .name = "efinet", +-- +2.43.5 + diff --git a/SOURCES/bug37747175-0002-efinet-Correct-closing-of-SNP-protocol.patch b/SOURCES/bug37747175-0002-efinet-Correct-closing-of-SNP-protocol.patch new file mode 100644 index 0000000..7c67025 --- /dev/null +++ b/SOURCES/bug37747175-0002-efinet-Correct-closing-of-SNP-protocol.patch @@ -0,0 +1,109 @@ +From a6e7b87e0c7c721a35016d7a1136b3c53cc8f981 Mon Sep 17 00:00:00 2001 +From: Fedora Ninjas +Date: Tue, 25 Mar 2025 18:43:28 +0000 +Subject: [PATCH 2/2] efinet: Correct closing of SNP protocol + + In the context of the implementation of the EFI_LOAD_FILE2_PROTOCOL for the initial ramdisk it + was observed that opening the SNP protocol failed. + https://lists.gnu.org/archive/html/grub-devel/2021-10/msg00020.html This is + due to an incorrect call to CloseProtocol(). + +The first parameter of CloseProtocol() is the handle, not the interface. + +We call OpenProtocol() with ControllerHandle == NULL. Hence we must also +call CloseProtcol() with ControllerHandel == NULL. + +Each call of OpenProtocol() for the same network card handle is expected to +return the same interface pointer. If we want to close the protocol which +we opened non-exclusively when searching for a card, we have to do this +before opening the protocol exclusively. + +As there is no guarantee that we successfully open the protocol add checks +in the transmit and receive functions. + +Reported-by: Andreas Schwab +Signed-off-by: Heinrich Schuchardt +Reviewed-by: Daniel Kiper +Orabug: 34195100 +Orabug: 37747175 +Signed-off-by: Alex Burmashev +--- + grub-core/net/drivers/efi/efinet.c | 26 +++++++++++++++++++------- + 1 file changed, 19 insertions(+), 7 deletions(-) + +diff --git a/grub-core/net/drivers/efi/efinet.c b/grub-core/net/drivers/efi/efinet.c +index a8a1bfa..c1759cd 100644 +--- a/grub-core/net/drivers/efi/efinet.c ++++ b/grub-core/net/drivers/efi/efinet.c +@@ -47,6 +47,9 @@ get_card_packet (struct grub_net_card *dev) + struct grub_net_buff *nb; + int i; + ++ if (net == NULL) ++ return NULL; ++ + for (i = 0; i < 2; i++) + { + if (!dev->rcvbuf) +@@ -94,12 +97,19 @@ open_card (struct grub_net_card *dev) + { + grub_efi_simple_network_t *net; + ++ if (dev->efi_net != NULL) ++ { ++ efi_call_4 (grub_efi_system_table->boot_services->close_protocol, ++ dev->efi_handle, &net_io_guid, ++ grub_efi_image_handle, NULL); ++ dev->efi_net = NULL; ++ } + /* Try to reopen SNP exlusively to close any active MNP protocol instance + that may compete for packet polling + */ + net = grub_efi_open_protocol (dev->efi_handle, &net_io_guid, + GRUB_EFI_OPEN_PROTOCOL_BY_EXCLUSIVE); +- if (net) ++ if (net != NULL) + { + if (net->mode->state == GRUB_EFI_NETWORK_STOPPED + && efi_call_1 (net->start, net) != GRUB_EFI_SUCCESS) +@@ -138,13 +148,12 @@ open_card (struct grub_net_card *dev) + efi_call_6 (net->receive_filters, net, filters, 0, 0, 0, NULL); + } + +- efi_call_4 (grub_efi_system_table->boot_services->close_protocol, +- dev->efi_net, &net_io_guid, +- grub_efi_image_handle, dev->efi_handle); + dev->efi_net = net; ++ } else { ++ return grub_error (GRUB_ERR_NET_NO_CARD, "%s: can't open protocol", ++ dev->name); + } + +- /* If it failed we just try to run as best as we can */ + return GRUB_ERR_NONE; + } + +@@ -154,8 +163,8 @@ close_card (struct grub_net_card *dev) + efi_call_1 (dev->efi_net->shutdown, dev->efi_net); + efi_call_1 (dev->efi_net->stop, dev->efi_net); + efi_call_4 (grub_efi_system_table->boot_services->close_protocol, +- dev->efi_net, &net_io_guid, +- grub_efi_image_handle, dev->efi_handle); ++ dev->efi_handle, &net_io_guid, ++ grub_efi_image_handle, 0); + } + + static grub_err_t +@@ -169,6 +178,9 @@ send_card_buffer (struct grub_net_card *dev, + grub_err_t ret; + int retry = 0; + ++ if (net == NULL) ++ return grub_error (GRUB_ERR_IO, ++ N_("network protocol not available, can't send packet")); + if (dev->txbusy) + while (1) + { +-- +2.43.5 + diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros index 966c079..71e2fdb 100755 --- a/SOURCES/grub.macros +++ b/SOURCES/grub.macros @@ -216,7 +216,7 @@ %ifarch x86_64 %global with_efi_common 1 -%global with_legacy_modules 0 +%global with_legacy_modules 1 %global with_legacy_common 0 %else %global with_efi_common 0 @@ -274,6 +274,13 @@ Requires: %{name}-common = %{evr} \ Requires: %{name}-tools-minimal >= %{evr} \ Requires: %{name}-tools = %{evr} \ Provides: %{name}-efi = %{evr} \ +Provides: oracle(grub2-sig-key) = 202502 \ +%{expand:%%ifarch x86_64 \ +Conflicts: shim-x64 < 15.8-1.0.4 \ +%%endif} \ +%{expand:%%ifarch aarch64 \ +Conflicts: shim-aa64 < 15.8-1.0.4 \ +%%endif} \ %{?legacy_provides:Provides: %{name} = %{evr}} \ %{-o:Obsoletes: %{name}-efi < %{evr}} \ \ @@ -372,7 +379,7 @@ install -m 644 %{1}.conf ${RPM_BUILD_ROOT}/etc/dnf/protected.d/ \ rm -f %{1}.conf \ %{nil} -%global grub_modules " all_video boot blscfg \\\ +%global grub_modules " all_video boot blscfg btrfs \\\ cat configfile cryptodisk \\\ echo ext2 f2fs fat font \\\ gcry_rijndael gcry_rsa gcry_serpent \\\ @@ -387,7 +394,7 @@ rm -f %{1}.conf \ search_label serial sleep syslinuxcfg \\\ test tftp version video xfs zstd " \ -%ifarch x86_64 aarch64 %{arm} riscv64 +%ifarch x86_64 aarch64 %{arm} %define efi_mkimage() \ %{4}./grub-mkimage -O %{1} -o %{2}.orig \\\ -p /EFI/%{efi_vendor} -d grub-core \\\ diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches index 46fde57..4703062 100644 --- a/SOURCES/grub.patches +++ b/SOURCES/grub.patches @@ -461,3 +461,13 @@ Patch0461: 0461-fs-xfs-Fix-XFS-directory-extent-parsing.patch Patch0462: 0462-fs-xfs-Add-large-extent-counters-incompat-feature-su.patch Patch0463: 0463-fs-xfs-Handle-non-continuous-data-blocks-in-director.patch Patch0464: 0464-fs-xfs-fix-large-extent-counters-incompat-feature-su.patch +Patch0465: 0465-10_linux.in-escape-kernel-option-characters-properly.patch +Patch0466: 0466-blscfg-check-if-variable-is-escaped-before-consideri.patch +Patch1000: bug18504756-use-different-title-for-UEK.patch +Patch1001: bug26388226-update-redhat-references.patch +Patch1002: bug37747175-0001-efinet-Close-and-reopen-card-on-failure.patch +Patch1003: bug37747175-0002-efinet-Correct-closing-of-SNP-protocol.patch +Patch1004: bug37539625-0001-net-dns-Fix-removal-of-DNS-server.patch +Patch1005: bug37539625-0002-net-dns-Simplify-error-handling-of-recv_hook-functio.patch +Patch1006: bug37539625-0003-net-dns-Add-debugging-messages-in-recv_hook-function.patch +Patch1007: bug37539625-0004-net-dns-Fix-lookup-error-when-no-IPv6-is-returned.patch \ No newline at end of file diff --git a/SOURCES/sbat.csv.in b/SOURCES/sbat.csv.in index b338b5f..0ed2d67 100755 --- a/SOURCES/sbat.csv.in +++ b/SOURCES/sbat.csv.in @@ -1,3 +1,4 @@ sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md -grub,3,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/ +grub,3,Free Software Foundation,grub,@@VERSION@@,https://www.gnu.org/software/grub/ grub.rh,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com +grub.ol9,3,Oracle Linux,grub2,@@VERSION@@,mail:secalert_us@oracle.com diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec index e5a0bd0..183c076 100644 --- a/SPECS/grub2.spec +++ b/SPECS/grub2.spec @@ -16,7 +16,7 @@ Name: grub2 Epoch: 1 Version: 2.06 -Release: 104%{?dist} +Release: 105.0.1%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -38,21 +38,21 @@ Source12: sbat.csv.in %include %{SOURCE1} %ifarch x86_64 aarch64 ppc64le -%define sb_ca %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer -%define sb_cer %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer +%define sb_ca %{SOURCE14} +%define sb_cer %{SOURCE14} %endif %if 0%{?centos} %ifarch x86_64 aarch64 ppc64le -%define sb_key centossecureboot202 +%define sb_key OracleLinuxSecureBootKey1 %endif %else %ifarch x86_64 aarch64 -%define sb_key redhatsecureboot502 +%define sb_key OracleLinuxSecureBootKey1 %endif %ifarch ppc64le -%define sb_key redhatsecureboot702 +%define sb_key OracleLinuxSecureBootKey1 %endif %endif @@ -547,6 +547,48 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg %endif %changelog +* Fri Oct 31 2025 Alex Burmashev - 2.06-105.0.1 +- Update grub2 dependencies to match new Secure Boot certificate chain of trust [Orabug: 37766761] +- Fix typo in SBAT metadata [Orabug: 37693946] +- Allow installation of grub2 only with shim-aa64 that allows booting it [Orabug: 37693946] +- net/dns: Fix removal of DNS server [Orabug: 37539625] +- net/dns: Simplify error handling of recv_hook() function [Orabug: 37539625] +- net/dns: Add debugging messages in recv_hook() function [Orabug: 37539625] +- net/dns: Fix lookup error when no IPv6 is returned [Orabug: 37539625] +- efinet: close and reopen network card on failure [Orabug: 35126950], [Orabug: 37747175] +- efinet: Correct closing of SNP protocol [Orabug: 35126950], [Orabug: 37747175] +- Rework the scripts to cover both in-place upgrade and update scenarios [Orabug: 36768566] +- Restore correct order of processing config files [Orabug: 36758359] +- Support setting custom kernels as default kernels [Orabug: 36043978] +- Bump SBAT metadata for grub to 3 [Orabug: 34872719] +- Fix CVE-2022-3775 [Orabug: 34871953] +- Enable signing for aarch64 EFI +- Fix signing certificate names +- Enable back btrfs grub module for EFI pre-built image [Orabug: 34360986] +- Replaced bugzilla.oracle.com references [Orabug: 34202300] +- Update provided certificate version to 202204 [JIRA: OLDIS-16371] +- Various coverity fixes [JIRA: OLDIS-16371] +- bump SBAT generation +- Update bug url [Orabug: 34202300] +- Revert provided certificate version back to 202102 [JIRA: OLDIS-16371] +- Update signing certificate [JIRA: OLDIS-16371] +- fix SBAT data [JIRA: OLDIS-16371] +- Update requires [JIRA: OLDIS-16371] +- Rebuild for SecureBoot signatures [Orabug: 33801813] +- Do not add shim and grub certificate deps for aarch64 packages [Orabug: 32670033] +- Update Oracle SBAT data [Orabug: 32670033] +- Use new signing certificate [Orabug: 32670033] +- honor /etc/sysconfig/kernel DEFAULTKERNEL setting for BLS [Orabug: 30643497] +- set EFIDIR as redhat for additional grub2 tools [Orabug: 29875597] +- Update upstream references [Orabug: 26388226] +- Insert Unbreakable Enterprise Kernel text into BLS config file [Orabug: 29417955] +- Put "with" in menuentry instead of "using" [Orabug: 18504756] +- Use different titles for UEK and RHCK kernels [Orabug: 18504756] + +* Wed Sep 03 2025 Leo Sandoval 2.06-105 +- Handle special kernel parameter characters properly +- Resolves: #RHEL-111748 + * Thu Apr 3 2025 Nicolas Frayer 2.06-104 - fs/xfs: Sync with latest xfs upstream - Resolves: #RHEL-85960