Revert OL modifications

20-grub.install

@@ -6,7 +6,6 @@ fi
 
 [[ -f /etc/default/grub ]] && . /etc/default/grub
 [[ -f /etc/os-release ]] && . /etc/os-release
-[[ -f /etc/sysconfig/kernel ]] && . /etc/sysconfig/kernel
 
 COMMAND="$1"
 KERNEL_VERSION="$2"
@@ -42,14 +41,8 @@ mkbls() {
         fi
     fi
 
-    if [[ $kernelver =~ uek ]]; then
-        local ver_stanza="$kernelver with Unbreakable Enterprise Kernel"
-    else
-        local ver_stanza="$kernelver"
-    fi
-
     cat <<EOF
-title ${NAME} (${ver_stanza}) ${VERSION}${debugname}
+title ${NAME} (${kernelver}) ${VERSION}${debugname}
 version ${kernelver}${debugid}
 linux /vmlinuz-${kernelver}
 initrd /initramfs-${kernelver}.img
@@ -124,7 +117,6 @@ case "$COMMAND" in
                 done
             fi
 
-            KERNEL_NAME="$(rpm -q --queryformat %{NAME} $(rpm -qf $KERNEL_IMAGE))"
             eval "$(grub2-get-kernel-settings)" || true
             [[ -d "$BLS_DIR" ]] || mkdir -m 0700 -p "$BLS_DIR"
             BLS_ID="${MACHINE_ID}-${KERNEL_VERSION}"
@@ -150,7 +142,11 @@ case "$COMMAND" in
                 sed -i -e "s,^initrd.*,initrd ${BOOTPREFIX}${INITRD},g" "${BLS_TARGET}"
             fi
 
-            if [[ "$KERNEL_VERSION" == *\+* ]] && [ "x$GRUB_DEFAULT_TO_DEBUG" != "xtrue" ]; then
+            if ( [[ "$KERNEL_VERSION" != *${GRUB_DEFAULT_KERNEL_TYPE}* ]] && \
+                     [ "x$GRUB_NON_STANDARD_KERNEL" == "xtrue" ] ) || \
+                   ( echo "$KERNEL_VERSION" | grep -E -q "64k|auto|rt|uki" && \
+                     [ "x$GRUB_NON_STANDARD_KERNEL" != "xtrue" ] ) || \
+                   ( [[ "$KERNEL_VERSION" == *debug* ]] && [ "x$GRUB_DEFAULT_TO_DEBUG" != "xtrue" ] ); then
                 GRUB_UPDATE_DEFAULT_KERNEL=false
             fi
 
@@ -169,7 +165,7 @@ case "$COMMAND" in
                     NEWDEFAULT="${BLS_DEBUG_ID}"
                 fi
             fi
-            if [ -n "$NEWDEFAULT" ] && [ "$DEFAULTKERNEL" = "$KERNEL_NAME" ]; then
+            if [ -n "$NEWDEFAULT" ]; then
                 grub2-editenv - set "saved_entry=${NEWDEFAULT}"
             fi
 

bug18504756-use-different-title-for-UEK.patch

@@ -1,30 +0,0 @@
-From fd04ca689f52d8bbef13413b4d285c9ba4d0f038 Mon Sep 17 00:00:00 2001
-From: build team <natalya.naumova@oracle.com>
-Date: Tue, 18 Dec 2018 13:22:12 -0800
-Subject: [PATCH 1/1] Use different menuentries for UEK kernel
-
----
- util/grub.d/10_linux.in | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
-index b54d277..fe8b20f 100644
---- a/util/grub.d/10_linux.in
-+++ b/util/grub.d/10_linux.in
-@@ -173,7 +173,12 @@ EOF
-   fi
- 
-   if [ x$type != xsimple ] ; then
--      title=$(mktitle "$type" "$version")
-+      if echo "$version" | grep -q uek; then
-+          kernel_type_text="with Unbreakable Enterprise Kernel"
-+      else
-+          kernel_type_text="with Linux"
-+      fi
-+      title=$(mktitle "$type" "$version $kernel_type_text")
-       if [ x"$title" = x"$GRUB_ACTUAL_DEFAULT" ] || [ x"Previous Linux versions>$title" = x"$GRUB_ACTUAL_DEFAULT" ]; then
- 	  replacement_title="$(echo "Advanced options for ${OS}" | sed 's,>,>>,g')>$(echo "$title" | sed 's,>,>>,g')"
- 	  quoted="$(echo "$GRUB_ACTUAL_DEFAULT" | grub_quote)"
--- 
-1.8.3.1
-

bug26388226-update-redhat-references.patch

@@ -1,25 +0,0 @@
-From 05bfbf0b086ed14ea9311e2406d775c2562a826d Mon Sep 17 00:00:00 2001
-From: livy.ge <livy.ge@oracle.com>
-Date: Wed, 5 Jul 2017 03:53:48 -0700
-Subject: [PATCH] update bug url
-
----
- util/grub-set-password.in |    2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/util/grub-set-password.in b/util/grub-set-password.in
-index d7924af..2f182b8 100755
---- a/util/grub-set-password.in
-+++ b/util/grub-set-password.in
-@@ -25,7 +25,7 @@ located by default at ${grubdir}.
-   -v, --version                  print the version information and exit
-   -o, --output_path <DIRECTORY>  put user.cfg in a user-selected directory
- 
--Report bugs at https://bugzilla.redhat.com.
-+Report bugs at https://github.com/oracle/oracle-linux .
- EOF
- }
- 
--- 
-1.7.4.1
-

bug37808688-efinet-Close-and-reopen-card-on-failure.patch

@@ -1,191 +0,0 @@
-From 4d2d00c8b9c2954a9a1f6bec57de8477366c7d42 Mon Sep 17 00:00:00 2001
-From: Alex Burmashev <alexander.burmashev@oracle.com>
-Date: Thu, 17 Apr 2025 11:11:30 +0000
-Subject: [PATCH] efinet: Close and reopen card on failure
-
-There are some known bugs with network adapter firmware implementations,
-that may lead to intermittent problem of network adapter link being down, despite network
-being set up.
-Ultimate fix of this issue should be done on firmware side, but as for now we try to close
-and reopen network adapter and retransmit packet in case we see failures.
-
-Without this fix certain amount of PXE boots fails with inability to transmit packet, with this fix,
-such failures are not seen.
-
-Orabug: 35126950
-Orabug: 37808688
-Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
----
- grub-core/net/drivers/efi/efinet.c | 149 ++++++++++++++++-------------
- 1 file changed, 85 insertions(+), 64 deletions(-)
-
-diff --git a/grub-core/net/drivers/efi/efinet.c b/grub-core/net/drivers/efi/efinet.c
-index 4591d07..cb97a9e 100644
---- a/grub-core/net/drivers/efi/efinet.c
-+++ b/grub-core/net/drivers/efi/efinet.c
-@@ -37,70 +37,6 @@ static grub_guid_t pxe_io_guid = GRUB_EFI_PXE_GUID;
- static grub_guid_t ip4_config_guid = GRUB_EFI_IP4_CONFIG2_PROTOCOL_GUID;
- static grub_guid_t ip6_config_guid = GRUB_EFI_IP6_CONFIG_PROTOCOL_GUID;
- 
--static grub_err_t
--send_card_buffer (struct grub_net_card *dev,
--		  struct grub_net_buff *pack)
--{
--  grub_efi_status_t st;
--  grub_efi_simple_network_t *net = dev->efi_net;
--  grub_uint64_t limit_time = grub_get_time_ms () + 4000;
--  void *txbuf;
--
--  if (net == NULL)
--    return grub_error (GRUB_ERR_IO,
--		       N_("network protocol not available, can't send packet"));
--  if (dev->txbusy)
--    while (1)
--      {
--	txbuf = NULL;
--	st = net->get_status (net, 0, &txbuf);
--	if (st != GRUB_EFI_SUCCESS)
--	  return grub_error (GRUB_ERR_IO,
--			     N_("couldn't send network packet"));
--	/*
--	   Some buggy firmware could return an arbitrary address instead of the
--	   txbuf address we trasmitted, so just check that txbuf is non NULL
--	   for success.  This is ok because we open the SNP protocol in
--	   exclusive mode so we know we're the only ones transmitting on this
--	   box and since we only transmit one packet at a time we know our
--	   transmit was successfull.
--	 */
--	if (txbuf)
--	  {
--	    dev->txbusy = 0;
--	    break;
--	  }
--	if (limit_time < grub_get_time_ms ())
--	  return grub_error (GRUB_ERR_TIMEOUT,
--			     N_("couldn't send network packet"));
--      }
--
--  dev->last_pkt_size = (pack->tail - pack->data);
--  if (dev->last_pkt_size > dev->mtu)
--    dev->last_pkt_size = dev->mtu;
--
--  grub_memcpy (dev->txbuf, pack->data, dev->last_pkt_size);
--
--  st = net->transmit (net, 0, dev->last_pkt_size,
--		      dev->txbuf, NULL, NULL, NULL);
--  if (st != GRUB_EFI_SUCCESS)
--    return grub_error (GRUB_ERR_IO, N_("couldn't send network packet"));
--
--  /*
--     The card may have sent out the packet immediately - set txbusy
--     to 0 in this case.
--     Cases were observed where checking txbuf at the next call
--     of send_card_buffer() is too late: 0 is returned in txbuf and
--     we run in the GRUB_ERR_TIMEOUT case above.
--     Perhaps a timeout in the FW has discarded the recycle buffer.
--   */
--  txbuf = NULL;
--  st = net->get_status (net, 0, &txbuf);
--  dev->txbusy = !(st == GRUB_EFI_SUCCESS && txbuf);
--
--  return GRUB_ERR_NONE;
--}
--
- static struct grub_net_buff *
- get_card_packet (struct grub_net_card *dev)
- {
-@@ -228,6 +164,91 @@ close_card (struct grub_net_card *dev)
-   grub_efi_close_protocol (dev->efi_handle, &net_io_guid);
- }
- 
-+static grub_err_t
-+send_card_buffer (struct grub_net_card *dev,
-+		  struct grub_net_buff *pack)
-+{
-+  grub_efi_status_t st;
-+  grub_efi_simple_network_t *net = dev->efi_net;
-+  grub_uint64_t limit_time = grub_get_time_ms () + 4000;
-+  void *txbuf;
-+  grub_err_t ret;
-+  int retry = 0;
-+
-+  if (net == NULL)
-+    return grub_error (GRUB_ERR_IO,
-+		       N_("network protocol not available, can't send packet"));
-+  if (dev->txbusy)
-+    while (1)
-+      {
-+	txbuf = NULL;
-+	st = net->get_status (net, 0, &txbuf);
-+	if (st != GRUB_EFI_SUCCESS)
-+	  return grub_error (GRUB_ERR_IO,
-+			     N_("couldn't send network packet"));
-+	/*
-+	   Some buggy firmware could return an arbitrary address instead of the
-+	   txbuf address we trasmitted, so just check that txbuf is non NULL
-+	   for success.  This is ok because we open the SNP protocol in
-+	   exclusive mode so we know we're the only ones transmitting on this
-+	   box and since we only transmit one packet at a time we know our
-+	   transmit was successfull.
-+	 */
-+	if (txbuf)
-+	  {
-+	    dev->txbusy = 0;
-+	    break;
-+	  }
-+	if (limit_time < grub_get_time_ms ())
-+	{
-+	  if (!retry)
-+	    {
-+	      close_card (dev);
-+	      grub_millisleep (100);
-+	      ret = open_card (dev);
-+	      if (ret != GRUB_ERR_NONE)
-+		return grub_error (GRUB_ERR_IO,
-+			           N_("couldn't open card"));
-+	      st = net->transmit (net, 0, dev->last_pkt_size,
-+			         dev->txbuf, NULL, NULL, NULL);
-+	      if (st != GRUB_EFI_SUCCESS)
-+		return grub_error (GRUB_ERR_IO,
-+			           N_("couldn't send network packet"));
-+	      retry = 1;
-+	      grub_uint64_t limit_time = grub_get_time_ms () + 10000;
-+	      break;
-+	    }
-+	  return grub_error (GRUB_ERR_TIMEOUT,
-+			     N_("couldn't send network packet"));
-+	}
-+      }
-+
-+  dev->last_pkt_size = (pack->tail - pack->data);
-+  if (dev->last_pkt_size > dev->mtu)
-+    dev->last_pkt_size = dev->mtu;
-+
-+  grub_memcpy (dev->txbuf, pack->data, dev->last_pkt_size);
-+
-+  st = net->transmit (net, 0, dev->last_pkt_size,
-+		      dev->txbuf, NULL, NULL, NULL);
-+  if (st != GRUB_EFI_SUCCESS)
-+    return grub_error (GRUB_ERR_IO, N_("couldn't send network packet"));
-+
-+  /*
-+     The card may have sent out the packet immediately - set txbusy
-+     to 0 in this case.
-+     Cases were observed where checking txbuf at the next call
-+     of send_card_buffer() is too late: 0 is returned in txbuf and
-+     we run in the GRUB_ERR_TIMEOUT case above.
-+     Perhaps a timeout in the FW has discarded the recycle buffer.
-+   */
-+  txbuf = NULL;
-+  st = net->get_status (net, 0, &txbuf);
-+  dev->txbusy = !(st == GRUB_EFI_SUCCESS && txbuf);
-+
-+  return GRUB_ERR_NONE;
-+}
-+
- static struct grub_net_card_driver efidriver =
-   {
-     .name = "efinet",
--- 
-2.47.1
-

grub.macros

@@ -304,13 +304,6 @@ Requires:	grub2-common = %{evr}					\
 Requires:	grub2-tools-minimal >= %{evr}				\
 Requires:	grub2-tools = %{evr}					\
 Provides:	grub2-efi = %{evr}					\
-Provides:	oracle(grub2-sig-key) = 202502				\
-%{expand:%%ifarch x86_64                                                \
-Conflicts:	shim-x64 < 15.8-1.0.6					\
-%%endif}								\
-%{expand:%%ifarch aarch64						\
-Conflicts:	shim-aa64 < 15.8-1.0.6					\
-%%endif}								\
 %{?legacy_provides:Provides:	grub2 = %{evr}}			\
 %{-o:Obsoletes:	grub2-efi < %{evr}}					\
 									\
@@ -408,7 +401,7 @@ install -m 644 %{1}.conf ${RPM_BUILD_ROOT}/etc/dnf/protected.d/ \
 rm -f %{1}.conf							\
 %{nil}
 
-%global grub_modules  " all_video boot blscfg btrfs		\\\
+%global grub_modules  " all_video boot blscfg                   \\\
 			cat configfile cryptodisk		\\\
 			echo ext2 f2fs fat font			\\\
 			gcry_rijndael gcry_rsa gcry_serpent	\\\

grub.patches

@@ -368,6 +368,3 @@ Patch0368: 0368-10_linux.in-escape-kernel-option-characters-properly.patch
 Patch0369: 0369-blscfg-check-if-variable-is-escaped-before-consideri.patch
 Patch0370: 0370-Set-correctly-the-memory-attributes-for-the-kernel-P.patch
 Patch0371: 0371-gettext-gettext-Unregister-gettext-command-on-module.patch
-Patch1000: bug18504756-use-different-title-for-UEK.patch
-Patch1001: bug26388226-update-redhat-references.patch
-Patch1002: bug37808688-efinet-Close-and-reopen-card-on-failure.patch

grub2.spec

@@ -17,7 +17,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.12
-Release:	29.0.1%{?dist}.2
+Release:	29%{?dist}.2
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPL-3.0-or-later
 URL:		http://www.gnu.org/software/grub/
@@ -36,27 +36,25 @@ Source10:	20-grub.install
 Source11:	grub.patches
 Source12:	sbat.csv.in
 Source13:	gen_grub_cfgstub
-Source14:	oraclegrubcer.cer
-Source15:	securebootca.cer
 
 %include %{SOURCE1}
 
 %ifarch x86_64 aarch64 ppc64le
-%define sb_ca		%{SOURCE15}
-%define sb_cer		%{SOURCE14}
+%define sb_ca		%{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
+%define sb_cer		%{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer
 %endif
 
 %if 0%{?centos}
 
 %ifarch x86_64 aarch64 ppc64le
-%define sb_key		OracleLinuxSecureBootKey1
+%define sb_key		centossecureboot202
 %endif
 %else
 %ifarch x86_64 aarch64
-%define sb_key		OracleLinuxSecureBootKey1
+%define sb_key		redhatsecureboot802
 %endif
 %ifarch ppc64le
-%define sb_key		OracleLinuxSecureBootKey1
+%define sb_key		redhatsecureboot702
 %endif
 
 %endif
@@ -576,40 +574,6 @@ fi
 %endif
 
 %changelog
-* Mon Mar 16 2026 EL Errata <el-errata_ww@oracle.com> - 2.12-29.0.1.el10_1.2
-- efinet: Close and reopen card on failure [Orabug: 37808688]
-- Update grub2 dependencies to match new Secure Boot certificate chain of trust [Orabug: 37766761]
-- Fix typo in SBAT metadata [Orabug: 37693946]
-- Allow installation of grub2 only with shim-aa64 that allows booting it [Orabug: 37693946]
-- Enable btrfs module [Orabug: 37412995]
-- Restored shim related conflicts and provide. [Orabug: 37376920]
-- Rework the scripts to cover both in-place upgrade and update scenarios [Orabug: 36768566]
-- Support setting custom kernels as default kernels [Orabug: 36043978]
-- Bump SBAT metadata for grub to 3 [Orabug: 34872719]
-- Fix CVE-2022-3775 [Orabug: 34871953]
-- Enable signing for aarch64 EFI
-- Fix signing certificate names
-- Enable back btrfs grub module for EFI pre-built image [Orabug: 34360986]
-- Replaced bugzilla.oracle.com references [Orabug: 34202300]
-- Update provided certificate version to 202204 [JIRA: OLDIS-16371]
-- Various coverity fixes [JIRA: OLDIS-16371]
-- bump SBAT generation
-- Update bug url [Orabug: 34202300]
-- Revert provided certificate version back to 202102 [JIRA: OLDIS-16371]
-- Update signing certificate [JIRA: OLDIS-16371]
-- fix SBAT data [JIRA: OLDIS-16371]
-- Update requires [JIRA: OLDIS-16371]
-- Rebuild for SecureBoot signatures [Orabug: 33801813]
-- Do not add shim and grub certificate deps for aarch64 packages [Orabug: 32670033]
-- Update Oracle SBAT data [Orabug: 32670033]
-- Use new signing certificate [Orabug: 32670033]
-- honor /etc/sysconfig/kernel DEFAULTKERNEL setting for BLS [Orabug: 30643497]
-- set EFIDIR as redhat for additional grub2 tools [Orabug: 29875597]
-- Update upstream references [Orabug: 26388226]
-- Insert Unbreakable Enterprise Kernel text into BLS config file [Orabug: 29417955]
-- Put "with" in menuentry instead of "using" [Orabug: 18504756]
-- Use different titles for UEK and RHCK kernels [Orabug: 18504756]
-
 * Tue Mar 03 2026 Nicolas Frayer <nfrayer@redhat.com> - 2.12-29.2
 - Try to get gating tests running via fmf/tmt
 - Resolves: #RHEL-152849

sbat.csv.in

@@ -1,5 +1,4 @@
 sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
-grub,5,Free Software Foundation,grub,@@VERSION@@,https://www.gnu.org/software/grub/
+grub,5,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/
 grub.rh,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com
 grub.centos,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com
-grub.ol10,3,Oracle Linux,grub2,@@VERSION@@,mail:secalert_us@oracle.com