diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros index 5863037..168223f 100644 --- a/SOURCES/grub.macros +++ b/SOURCES/grub.macros @@ -74,6 +74,7 @@ %global emuarch %{_arch} %global grubefiarch %{nil} %global grublegacyarch %{nil} +%global grubelfname %{nil} # sparc is always compiled 64 bit %ifarch %{sparc} @@ -113,11 +114,20 @@ %{!?with_efi_only:%global without_efi_only 0} %{?with_efi_only:%global without_efi_only 1} -### fixme +%ifarch %{efi_arch} +%global efi_modules " efi_netfs efifwsetup efinet lsefi lsefimmap " +%endif + +%ifarch x86_64 %{ix86} +%global platform_modules " backtrace chain tpm usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard " +%endif + +%ifarch ppc64le +%global platform_modules " appendedsig " +%endif + %ifarch aarch64 %{arm} riscv64 -%global efi_modules " " -%else -%global efi_modules " backtrace chain tpm usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard " +%global platform_modules " " %endif %ifarch aarch64 %{arm} riscv64 @@ -217,6 +227,7 @@ %global with_legacy_arch 1 %global grublegacyarch %{legacy_target_cpu_name}-%{platform} %global moduledir %{legacy_target_cpu_name}-%{platform} +%global grubelfname core.elf %endif %global evr %{epoch}:%{version}-%{release} @@ -378,55 +389,98 @@ install -m 644 %{1}.conf ${RPM_BUILD_ROOT}/etc/dnf/protected.d/ \ rm -f %{1}.conf \ %{nil} +%global grub_modules " all_video boot blscfg btrfs \\\ + cat configfile cryptodisk \\\ + echo ext2 f2fs fat font \\\ + gcry_rijndael gcry_rsa gcry_serpent \\\ + gcry_sha256 gcry_twofish gcry_whirlpool \\\ + gfxmenu gfxterm gzio \\\ + halt hfsplus http increment iso9660 \\\ + jpeg loadenv loopback linux lvm luks \\\ + luks2 mdraid09 mdraid1x minicmd net \\\ + normal part_apple part_msdos part_gpt \\\ + password_pbkdf2 pgp png reboot regexp \\\ + search search_fs_uuid search_fs_file \\\ + search_label serial sleep syslinuxcfg \\\ + test tftp version video xfs zstd " \ + %ifarch x86_64 aarch64 %{arm} riscv64 -%define mkimage() \ +%define efi_mkimage() \ %{4}./grub-mkimage -O %{1} -o %{2}.orig \\\ - -p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES} \\\ - --sbat %{4}./sbat.csv \ + -p /EFI/%{efi_vendor} -d grub-core \\\ + --sbat %{4}./sbat.csv \\\ + ${GRUB_MODULES} \ %{4}./grub-mkimage -O %{1} -o %{3}.orig \\\ - -p /EFI/BOOT -d grub-core ${GRUB_MODULES} \\\ - --sbat %{4}./sbat.csv \ + -p /EFI/BOOT -d grub-core \\\ + --sbat %{4}./sbat.csv \\\ + ${GRUB_MODULES} \ %{expand:%%define ___pesign_client_cert %{?___pesign_client_cert}%{!?___pesign_client_cert:%{__pesign_client_cert}}} \ %{?__pesign_client_cert:%{expand:%%define __pesign_client_cert %{___pesign_client_cert}}} \ %{expand:%%{pesign -s -i %%{2}.orig -o %%{2}.onesig -a %%{5} -c %%{6} -n %%{7}}} \ %{expand:%%{pesign -s -i %%{3}.orig -o %%{3}.onesig -a %%{5} -c %%{6} -n %%{7}}} \ %{expand:%%define __pesign_client_cert %{name}-signer} \ -%{expand:%%{pesign -s -i %%{2}.onesig -o %%{2} -a %%{5} -c %%{6} -n %%{7}}} \ -%{expand:%%{pesign -s -i %%{3}.onesig -o %%{3} -a %%{5} -c %%{6} -n %%{7}}} \ +%{expand:%%{pesign -s -i %%{2}.onesig -o %%{2} -a %%{8} -c %%{9} -n %%{10}}} \ +%{expand:%%{pesign -s -i %%{3}.onesig -o %%{3} -a %%{8} -c %%{9} -n %%{10}}} \ %{nil} %else -%define mkimage() \ +%define efi_mkimage() \ %{4}./grub-mkimage -O %{1} -o %{2} \\\ - -p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES} \ + -p /EFI/%{efi_vendor} -d grub-core \\\ + ${GRUB_MODULES} \ %{4}./grub-mkimage -O %{1} -o %{3} \\\ - -p /EFI/BOOT -d grub-core ${GRUB_MODULES} \ + -p /EFI/BOOT -d grub-core \\\ + ${GRUB_MODULES} \ +%{nil} +%endif + +%ifarch ppc64le +%define ieee1275_mkimage() \ +APPENDED_SIG_SIZE=0 \ +if [ -x /usr/bin/rpm-sign ]; then \ + touch empty.unsigned \ + rpm-sign --key %{5} \\\ + --lkmsign empty.unsigned \\\ + --output empty.signed \ + APPENDED_SIG_SIZE="$(stat -c '%s' empty.signed)" \ + rm empty.{un,}signed \ +fi \ +# FIXME: using this prefix is fragile, must be done properly \ +./grub-mkimage -O %{1} -o %{2}.orig \\\ + -p '/grub2' -d grub-core \\\ + -x %{3} -x %{4} \\\ + --appended-signature-size ${APPENDED_SIG_SIZE} \\\ + ${GRUB_MODULES} \ +if [ -x /usr/bin/rpm-sign ]; then \ + truncate -s -${APPENDED_SIG_SIZE} %{2}.orig \ + rpm-sign --key %{5} \\\ + --lkmsign %{2}.orig \\\ + --output %{2} \ +else \ + mv %{2}.orig %{2} \ +fi \ %{nil} %endif %define do_efi_build_images() \ -GRUB_MODULES=" all_video boot blscfg btrfs \\\ - cat configfile cryptodisk \\\ - echo efi_netfs efifwsetup efinet ext2 f2fs \\\ - fat font gcry_rijndael gcry_rsa gcry_serpent \\\ - gcry_sha256 gcry_twofish gcry_whirlpool \\\ - gfxmenu gfxterm gzio \\\ - halt hfsplus http increment iso9660 jpeg \\\ - loadenv loopback linux lvm lsefi lsefimmap luks \\\ - luks2 mdraid09 mdraid1x minicmd net \\\ - normal part_apple part_msdos part_gpt \\\ - password_pbkdf2 pgp png reboot \\\ - regexp search search_fs_uuid search_fs_file \\\ - search_label serial sleep syslinuxcfg test tftp \\\ - version video xfs zstd " \ +GRUB_MODULES+=%{grub_modules} \ GRUB_MODULES+=%{efi_modules} \ -%{expand:%%{mkimage %{1} %{2} %{3} %{4}}} \ +GRUB_MODULES+=%{platform_modules} \ +%{expand:%%{efi_mkimage %{1} %{2} %{3} %{4} %{5} %{6} %{7} %{8} %{9} %{10}}} \ +%{nil} + +%define do_ieee1275_build_images() \ +GRUB_MODULES+=%{grub_modules} \ +GRUB_MODULES+=%{platform_modules} \ +cd grub-%{1}-%{tarversion} \ +%{expand:%%ieee1275_mkimage %%{1} %%{2} %%{3} %%{4} %%{5}} \ +cd .. \ %{nil} %define do_primary_efi_build() \ cd grub-%{1}-%{tarversion} \ %{expand:%%do_efi_configure %%{4} %%{5} %%{6}} \ %do_efi_build_all \ -%{expand:%%do_efi_build_images %{grub_target_name} %{2} %{3} ./ } \ +%{expand:%%do_efi_build_images %{grub_target_name} %{2} %{3} ./ %{7} %{8} %{9} %{10} %{11} %{12}} \ cd .. \ %{nil} @@ -435,7 +489,7 @@ cd grub-%{1}-%{tarversion} \ %{expand:%%do_efi_configure %%{4} %%{5} %%{6}} \ %do_efi_build_modules \ %{expand:%%do_efi_link_utils %{grubefiarch}} \ -%{expand:%%do_efi_build_images %{alt_grub_target_name} %{2} %{3} ../grub-%{grubefiarch}-%{tarversion}/ } \ +%{expand:%%do_efi_build_images %{alt_grub_target_name} %{2} %{3} ../grub-%{grubefiarch}-%{tarversion}/ %{7} %{8} %{9} %{10} %{11} %{12}} \ cd .. \ %{nil} @@ -534,6 +588,9 @@ fi \ if [ -f $RPM_BUILD_ROOT%{_infodir}/grub-dev.info ]; then \ rm -f $RPM_BUILD_ROOT%{_infodir}/grub-dev.info \ fi \ +%{expand:%ifarch ppc64le \ + install -m 700 %{grubelfname} $RPM_BUILD_ROOT/%{_libdir}/grub/%{1} \ +%endif} \ if [ -f $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/%{name}.chrp ]; then \ mv $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/%{name}.chrp \\\ $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/%{name}.chrp \ @@ -593,12 +650,19 @@ ln -s ../boot/%{name}/grub.cfg \\\ %ghost %config(noreplace) /boot/%{name}/grub.cfg \ %dir %attr(0700,root,root)/boot/loader/entries \ %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \ +%ifarch ppc64le \ +%dir %{_libdir}/grub/%{2}/ \ +%{_libdir}/grub/%{2}/%{grubelfname} \ +%endif \ \ %{expand:%if 0%{?with_legacy_modules} \ %{expand:%%files %{1}-modules} \ %defattr(-,root,root) \ %dir %{_libdir}/grub/%{2}/ \ %{_libdir}/grub/%{2}/* \ +%ifarch ppc64le \ +%exclude %{_libdir}/grub/%{2}/%{grubelfname} \ +%endif \ %exclude %{_libdir}/grub/%{2}/*.module \ %exclude %{_libdir}/grub/%{2}/{boot,boot_hybrid,cdboot,diskboot,lzma_decompress,pxeboot}.image \ %exclude %{_libdir}/grub/%{2}/*.o \ diff --git a/SOURCES/redhatsecureboot301.cer b/SOURCES/redhatsecureboot301.cer new file mode 100644 index 0000000..4ff8b79 Binary files /dev/null and b/SOURCES/redhatsecureboot301.cer differ diff --git a/SOURCES/redhatsecureboot303.cer b/SOURCES/redhatsecureboot303.cer new file mode 100644 index 0000000..2c0087d Binary files /dev/null and b/SOURCES/redhatsecureboot303.cer differ diff --git a/SOURCES/redhatsecureboot502.cer b/SOURCES/redhatsecureboot502.cer new file mode 100644 index 0000000..be0b5e2 Binary files /dev/null and b/SOURCES/redhatsecureboot502.cer differ diff --git a/SOURCES/redhatsecureboot601.cer b/SOURCES/redhatsecureboot601.cer new file mode 100644 index 0000000..c92b96b Binary files /dev/null and b/SOURCES/redhatsecureboot601.cer differ diff --git a/SOURCES/redhatsecurebootca3.cer b/SOURCES/redhatsecurebootca3.cer new file mode 100644 index 0000000..b235400 Binary files /dev/null and b/SOURCES/redhatsecurebootca3.cer differ diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer new file mode 100644 index 0000000..dfb0284 Binary files /dev/null and b/SOURCES/redhatsecurebootca5.cer differ diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec index 4ad3926..f5ee3a2 100644 --- a/SPECS/grub2.spec +++ b/SPECS/grub2.spec @@ -14,7 +14,7 @@ Name: grub2 Epoch: 1 Version: 2.06 -Release: 13%{?dist} +Release: 16%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -32,9 +32,30 @@ Source9: strtoull_test.c Source10: 20-grub.install Source11: grub.patches Source12: sbat.csv.in +Source13: redhatsecurebootca3.cer +Source14: redhatsecureboot301.cer +Source15: redhatsecurebootca5.cer +Source16: redhatsecureboot502.cer +Source17: redhatsecureboot303.cer +Source18: redhatsecureboot601.cer %include %{SOURCE1} +%if 0%{with_efi_arch} +%define old_sb_ca %{SOURCE13} +%define old_sb_cer %{SOURCE14} +%define old_sb_key redhatsecureboot301 +%define sb_ca %{SOURCE15} +%define sb_cer %{SOURCE16} +%define sb_key redhatsecureboot502 +%endif + +%ifarch ppc64le +%define old_sb_cer %{SOURCE17} +%define sb_cer %{SOURCE18} +%define sb_key redhatsecureboot602 +%endif + BuildRequires: gcc efi-srpm-macros BuildRequires: flex bison binutils python3 BuildRequires: ncurses-devel xz-devel bzip2-devel @@ -192,10 +213,10 @@ git commit -m "After making subdirs" %build %if 0%{with_efi_arch} -%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags}} +%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{old_sb_ca} %{old_sb_cer} %{old_sb_key} %{sb_ca} %{sb_cer} %{sb_key}} %endif %if 0%{with_alt_efi_arch} -%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags}} +%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{old_sb_ca} %{old_sb_cer} %{old_sb_key} %{sb_ca} %{sb_cer} %{sb_key}} %endif %if 0%{with_legacy_arch} %{expand:%do_legacy_build %%{grublegacyarch}} @@ -203,6 +224,9 @@ git commit -m "After making subdirs" %if 0%{with_emu_arch} %{expand:%do_emu_build} %endif +%ifarch ppc64le +%{expand:%do_ieee1275_build_images %%{grublegacyarch} %{grubelfname} %{old_sb_cer} %{sb_cer} %{sb_key}} +%endif makeinfo --info --no-split -I docs -o docs/grub-dev.info \ docs/grub-dev.texi makeinfo --info --no-split -I docs -o docs/grub.info \ @@ -523,21 +547,49 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg %endif %changelog -* Fri Nov 19 2021 Robbie Harwood - 2.06-13 -- Rebuild for gating; no code changes +* Tue Jan 04 2021 Robbie Harwood - 2.06-16 +- Stop having this problem and just copy over the beta tree - Resolves: rhbz#2006784 -* Tue Oct 26 2021 Robbie Harwood - 2.06-12 -- Sync with beta changes (version jump because our process is bad) - Resolves: rhbz#2006784 +* Mon Oct 25 2021 Robbie Harwood +- powerpc-ieee1275: load grub at 4MB, not 2MB + Related: rhbz#1873860 + +* Tue Oct 12 2021 Robbie Harwood +- Print out module name on license check failure + Related: rhbz#1873860 + +* Thu Oct 07 2021 pjones +- Hopefully make "grub2-mkimage --appended-signature-size=" actually work. + Related: rhbz#1873860 + +* Thu Oct 07 2021 Peter Jones - 2.06-8 +- Attempt once more to fix signatures on ppc64le + Related: rhbz#1873860 + +* Tue Oct 05 2021 Peter Jones - 2.06-7 +- Fix signatures on ppc64le + Related: rhbz#1951104 + +* Tue Oct 05 2021 Robbie Harwood - 2.06-6 +- Fix booting with XFSv4 partitions + Resolves: rhbz#2006993 + +* Thu Sep 30 2021 Peter Jones - 2.06-5 +- Rebuild for correct signatures once more. + Resolves: rhbz#1976771 + +* Thu Sep 30 2021 Peter Jones - 2.06-4 +- Rebuild for correct signatures + Resolves: rhbz#1976771 * Mon Sep 27 2021 Robbie Harwood - 2.06-3 - Rebuild for gating + rpminspect - Resolves: rhbz#2006784 + Resolves: rhbz#1976771 * Wed Sep 22 2021 Robbie Harwood - 2.06-2 - Rebuild because our CI infrastructure doesn't work right - Resolves: rhbz#2006784 + Resolves: rhbz#1976771 * Tue Aug 31 2021 Javier Martinez Canillas - 2.06-1 - Update to 2.06 final release and ton of fixes