diff --git a/20-grub.install b/20-grub.install index 9cbf739..699fff7 100755 --- a/20-grub.install +++ b/20-grub.install @@ -6,7 +6,6 @@ fi [[ -f /etc/default/grub ]] && . /etc/default/grub [[ -f /etc/os-release ]] && . /etc/os-release -[[ -f /etc/sysconfig/kernel ]] && . /etc/sysconfig/kernel COMMAND="$1" KERNEL_VERSION="$2" @@ -42,14 +41,8 @@ mkbls() { fi fi - if [[ $kernelver =~ uek ]]; then - local ver_stanza="$kernelver with Unbreakable Enterprise Kernel" - else - local ver_stanza="$kernelver" - fi - cat < -Date: Tue, 18 Dec 2018 13:22:12 -0800 -Subject: [PATCH 1/1] Use different menuentries for UEK kernel - ---- - util/grub.d/10_linux.in | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in -index b54d277..fe8b20f 100644 ---- a/util/grub.d/10_linux.in -+++ b/util/grub.d/10_linux.in -@@ -173,7 +173,12 @@ EOF - fi - - if [ x$type != xsimple ] ; then -- title=$(mktitle "$type" "$version") -+ if echo "$version" | grep -q uek; then -+ kernel_type_text="with Unbreakable Enterprise Kernel" -+ else -+ kernel_type_text="with Linux" -+ fi -+ title=$(mktitle "$type" "$version $kernel_type_text") - if [ x"$title" = x"$GRUB_ACTUAL_DEFAULT" ] || [ x"Previous Linux versions>$title" = x"$GRUB_ACTUAL_DEFAULT" ]; then - replacement_title="$(echo "Advanced options for ${OS}" | sed 's,>,>>,g')>$(echo "$title" | sed 's,>,>>,g')" - quoted="$(echo "$GRUB_ACTUAL_DEFAULT" | grub_quote)" --- -1.8.3.1 - diff --git a/bug26388226-update-redhat-references.patch b/bug26388226-update-redhat-references.patch deleted file mode 100644 index bf1916a..0000000 --- a/bug26388226-update-redhat-references.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 05bfbf0b086ed14ea9311e2406d775c2562a826d Mon Sep 17 00:00:00 2001 -From: livy.ge -Date: Wed, 5 Jul 2017 03:53:48 -0700 -Subject: [PATCH] update bug url - ---- - util/grub-set-password.in | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/util/grub-set-password.in b/util/grub-set-password.in -index d7924af..2f182b8 100755 ---- a/util/grub-set-password.in -+++ b/util/grub-set-password.in -@@ -25,7 +25,7 @@ located by default at ${grubdir}. - -v, --version print the version information and exit - -o, --output_path put user.cfg in a user-selected directory - --Report bugs at https://bugzilla.redhat.com. -+Report bugs at https://github.com/oracle/oracle-linux . - EOF - } - --- -1.7.4.1 - diff --git a/bug37808688-efinet-Close-and-reopen-card-on-failure.patch b/bug37808688-efinet-Close-and-reopen-card-on-failure.patch deleted file mode 100644 index 2e5ef82..0000000 --- a/bug37808688-efinet-Close-and-reopen-card-on-failure.patch +++ /dev/null @@ -1,191 +0,0 @@ -From 4d2d00c8b9c2954a9a1f6bec57de8477366c7d42 Mon Sep 17 00:00:00 2001 -From: Alex Burmashev -Date: Thu, 17 Apr 2025 11:11:30 +0000 -Subject: [PATCH] efinet: Close and reopen card on failure - -There are some known bugs with network adapter firmware implementations, -that may lead to intermittent problem of network adapter link being down, despite network -being set up. -Ultimate fix of this issue should be done on firmware side, but as for now we try to close -and reopen network adapter and retransmit packet in case we see failures. - -Without this fix certain amount of PXE boots fails with inability to transmit packet, with this fix, -such failures are not seen. - -Orabug: 35126950 -Orabug: 37808688 -Signed-off-by: Alex Burmashev ---- - grub-core/net/drivers/efi/efinet.c | 149 ++++++++++++++++------------- - 1 file changed, 85 insertions(+), 64 deletions(-) - -diff --git a/grub-core/net/drivers/efi/efinet.c b/grub-core/net/drivers/efi/efinet.c -index 4591d07..cb97a9e 100644 ---- a/grub-core/net/drivers/efi/efinet.c -+++ b/grub-core/net/drivers/efi/efinet.c -@@ -37,70 +37,6 @@ static grub_guid_t pxe_io_guid = GRUB_EFI_PXE_GUID; - static grub_guid_t ip4_config_guid = GRUB_EFI_IP4_CONFIG2_PROTOCOL_GUID; - static grub_guid_t ip6_config_guid = GRUB_EFI_IP6_CONFIG_PROTOCOL_GUID; - --static grub_err_t --send_card_buffer (struct grub_net_card *dev, -- struct grub_net_buff *pack) --{ -- grub_efi_status_t st; -- grub_efi_simple_network_t *net = dev->efi_net; -- grub_uint64_t limit_time = grub_get_time_ms () + 4000; -- void *txbuf; -- -- if (net == NULL) -- return grub_error (GRUB_ERR_IO, -- N_("network protocol not available, can't send packet")); -- if (dev->txbusy) -- while (1) -- { -- txbuf = NULL; -- st = net->get_status (net, 0, &txbuf); -- if (st != GRUB_EFI_SUCCESS) -- return grub_error (GRUB_ERR_IO, -- N_("couldn't send network packet")); -- /* -- Some buggy firmware could return an arbitrary address instead of the -- txbuf address we trasmitted, so just check that txbuf is non NULL -- for success. This is ok because we open the SNP protocol in -- exclusive mode so we know we're the only ones transmitting on this -- box and since we only transmit one packet at a time we know our -- transmit was successfull. -- */ -- if (txbuf) -- { -- dev->txbusy = 0; -- break; -- } -- if (limit_time < grub_get_time_ms ()) -- return grub_error (GRUB_ERR_TIMEOUT, -- N_("couldn't send network packet")); -- } -- -- dev->last_pkt_size = (pack->tail - pack->data); -- if (dev->last_pkt_size > dev->mtu) -- dev->last_pkt_size = dev->mtu; -- -- grub_memcpy (dev->txbuf, pack->data, dev->last_pkt_size); -- -- st = net->transmit (net, 0, dev->last_pkt_size, -- dev->txbuf, NULL, NULL, NULL); -- if (st != GRUB_EFI_SUCCESS) -- return grub_error (GRUB_ERR_IO, N_("couldn't send network packet")); -- -- /* -- The card may have sent out the packet immediately - set txbusy -- to 0 in this case. -- Cases were observed where checking txbuf at the next call -- of send_card_buffer() is too late: 0 is returned in txbuf and -- we run in the GRUB_ERR_TIMEOUT case above. -- Perhaps a timeout in the FW has discarded the recycle buffer. -- */ -- txbuf = NULL; -- st = net->get_status (net, 0, &txbuf); -- dev->txbusy = !(st == GRUB_EFI_SUCCESS && txbuf); -- -- return GRUB_ERR_NONE; --} -- - static struct grub_net_buff * - get_card_packet (struct grub_net_card *dev) - { -@@ -228,6 +164,91 @@ close_card (struct grub_net_card *dev) - grub_efi_close_protocol (dev->efi_handle, &net_io_guid); - } - -+static grub_err_t -+send_card_buffer (struct grub_net_card *dev, -+ struct grub_net_buff *pack) -+{ -+ grub_efi_status_t st; -+ grub_efi_simple_network_t *net = dev->efi_net; -+ grub_uint64_t limit_time = grub_get_time_ms () + 4000; -+ void *txbuf; -+ grub_err_t ret; -+ int retry = 0; -+ -+ if (net == NULL) -+ return grub_error (GRUB_ERR_IO, -+ N_("network protocol not available, can't send packet")); -+ if (dev->txbusy) -+ while (1) -+ { -+ txbuf = NULL; -+ st = net->get_status (net, 0, &txbuf); -+ if (st != GRUB_EFI_SUCCESS) -+ return grub_error (GRUB_ERR_IO, -+ N_("couldn't send network packet")); -+ /* -+ Some buggy firmware could return an arbitrary address instead of the -+ txbuf address we trasmitted, so just check that txbuf is non NULL -+ for success. This is ok because we open the SNP protocol in -+ exclusive mode so we know we're the only ones transmitting on this -+ box and since we only transmit one packet at a time we know our -+ transmit was successfull. -+ */ -+ if (txbuf) -+ { -+ dev->txbusy = 0; -+ break; -+ } -+ if (limit_time < grub_get_time_ms ()) -+ { -+ if (!retry) -+ { -+ close_card (dev); -+ grub_millisleep (100); -+ ret = open_card (dev); -+ if (ret != GRUB_ERR_NONE) -+ return grub_error (GRUB_ERR_IO, -+ N_("couldn't open card")); -+ st = net->transmit (net, 0, dev->last_pkt_size, -+ dev->txbuf, NULL, NULL, NULL); -+ if (st != GRUB_EFI_SUCCESS) -+ return grub_error (GRUB_ERR_IO, -+ N_("couldn't send network packet")); -+ retry = 1; -+ grub_uint64_t limit_time = grub_get_time_ms () + 10000; -+ break; -+ } -+ return grub_error (GRUB_ERR_TIMEOUT, -+ N_("couldn't send network packet")); -+ } -+ } -+ -+ dev->last_pkt_size = (pack->tail - pack->data); -+ if (dev->last_pkt_size > dev->mtu) -+ dev->last_pkt_size = dev->mtu; -+ -+ grub_memcpy (dev->txbuf, pack->data, dev->last_pkt_size); -+ -+ st = net->transmit (net, 0, dev->last_pkt_size, -+ dev->txbuf, NULL, NULL, NULL); -+ if (st != GRUB_EFI_SUCCESS) -+ return grub_error (GRUB_ERR_IO, N_("couldn't send network packet")); -+ -+ /* -+ The card may have sent out the packet immediately - set txbusy -+ to 0 in this case. -+ Cases were observed where checking txbuf at the next call -+ of send_card_buffer() is too late: 0 is returned in txbuf and -+ we run in the GRUB_ERR_TIMEOUT case above. -+ Perhaps a timeout in the FW has discarded the recycle buffer. -+ */ -+ txbuf = NULL; -+ st = net->get_status (net, 0, &txbuf); -+ dev->txbusy = !(st == GRUB_EFI_SUCCESS && txbuf); -+ -+ return GRUB_ERR_NONE; -+} -+ - static struct grub_net_card_driver efidriver = - { - .name = "efinet", --- -2.47.1 - diff --git a/gen_grub_cfgstub b/gen_grub_cfgstub old mode 100755 new mode 100644 diff --git a/grub.macros b/grub.macros index dfc682a..685b897 100644 --- a/grub.macros +++ b/grub.macros @@ -304,13 +304,6 @@ Requires: grub2-common = %{evr} \ Requires: grub2-tools-minimal >= %{evr} \ Requires: grub2-tools = %{evr} \ Provides: grub2-efi = %{evr} \ -Provides: oracle(grub2-sig-key) = 202502 \ -%{expand:%%ifarch x86_64 \ -Conflicts: shim-x64 < 15.8-1.0.6 \ -%%endif} \ -%{expand:%%ifarch aarch64 \ -Conflicts: shim-aa64 < 15.8-1.0.6 \ -%%endif} \ %{?legacy_provides:Provides: grub2 = %{evr}} \ %{-o:Obsoletes: grub2-efi < %{evr}} \ \ @@ -408,7 +401,7 @@ install -m 644 %{1}.conf ${RPM_BUILD_ROOT}/etc/dnf/protected.d/ \ rm -f %{1}.conf \ %{nil} -%global grub_modules " all_video boot blscfg btrfs \\\ +%global grub_modules " all_video boot blscfg \\\ cat configfile cryptodisk \\\ echo ext2 f2fs fat font \\\ gcry_rijndael gcry_rsa gcry_serpent \\\ diff --git a/grub.patches b/grub.patches index 87e6941..9049594 100644 --- a/grub.patches +++ b/grub.patches @@ -368,6 +368,3 @@ Patch0368: 0368-10_linux.in-escape-kernel-option-characters-properly.patch Patch0369: 0369-blscfg-check-if-variable-is-escaped-before-consideri.patch Patch0370: 0370-Set-correctly-the-memory-attributes-for-the-kernel-P.patch Patch0371: 0371-gettext-gettext-Unregister-gettext-command-on-module.patch -Patch1000: bug18504756-use-different-title-for-UEK.patch -Patch1001: bug26388226-update-redhat-references.patch -Patch1002: bug37808688-efinet-Close-and-reopen-card-on-failure.patch \ No newline at end of file diff --git a/grub2.spec b/grub2.spec index 5c56ec1..175909f 100644 --- a/grub2.spec +++ b/grub2.spec @@ -17,7 +17,7 @@ Name: grub2 Epoch: 1 Version: 2.12 -Release: 29.0.1%{?dist}.2 +Release: 29%{?dist}.2 Summary: Bootloader with support for Linux, Multiboot and more License: GPL-3.0-or-later URL: http://www.gnu.org/software/grub/ @@ -36,27 +36,25 @@ Source10: 20-grub.install Source11: grub.patches Source12: sbat.csv.in Source13: gen_grub_cfgstub -Source14: oraclegrubcer.cer -Source15: securebootca.cer %include %{SOURCE1} %ifarch x86_64 aarch64 ppc64le -%define sb_ca %{SOURCE15} -%define sb_cer %{SOURCE14} +%define sb_ca %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer +%define sb_cer %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer %endif %if 0%{?centos} %ifarch x86_64 aarch64 ppc64le -%define sb_key OracleLinuxSecureBootKey1 +%define sb_key centossecureboot202 %endif %else %ifarch x86_64 aarch64 -%define sb_key OracleLinuxSecureBootKey1 +%define sb_key redhatsecureboot802 %endif %ifarch ppc64le -%define sb_key OracleLinuxSecureBootKey1 +%define sb_key redhatsecureboot702 %endif %endif @@ -576,40 +574,6 @@ fi %endif %changelog -* Mon Mar 16 2026 EL Errata - 2.12-29.0.1.el10_1.2 -- efinet: Close and reopen card on failure [Orabug: 37808688] -- Update grub2 dependencies to match new Secure Boot certificate chain of trust [Orabug: 37766761] -- Fix typo in SBAT metadata [Orabug: 37693946] -- Allow installation of grub2 only with shim-aa64 that allows booting it [Orabug: 37693946] -- Enable btrfs module [Orabug: 37412995] -- Restored shim related conflicts and provide. [Orabug: 37376920] -- Rework the scripts to cover both in-place upgrade and update scenarios [Orabug: 36768566] -- Support setting custom kernels as default kernels [Orabug: 36043978] -- Bump SBAT metadata for grub to 3 [Orabug: 34872719] -- Fix CVE-2022-3775 [Orabug: 34871953] -- Enable signing for aarch64 EFI -- Fix signing certificate names -- Enable back btrfs grub module for EFI pre-built image [Orabug: 34360986] -- Replaced bugzilla.oracle.com references [Orabug: 34202300] -- Update provided certificate version to 202204 [JIRA: OLDIS-16371] -- Various coverity fixes [JIRA: OLDIS-16371] -- bump SBAT generation -- Update bug url [Orabug: 34202300] -- Revert provided certificate version back to 202102 [JIRA: OLDIS-16371] -- Update signing certificate [JIRA: OLDIS-16371] -- fix SBAT data [JIRA: OLDIS-16371] -- Update requires [JIRA: OLDIS-16371] -- Rebuild for SecureBoot signatures [Orabug: 33801813] -- Do not add shim and grub certificate deps for aarch64 packages [Orabug: 32670033] -- Update Oracle SBAT data [Orabug: 32670033] -- Use new signing certificate [Orabug: 32670033] -- honor /etc/sysconfig/kernel DEFAULTKERNEL setting for BLS [Orabug: 30643497] -- set EFIDIR as redhat for additional grub2 tools [Orabug: 29875597] -- Update upstream references [Orabug: 26388226] -- Insert Unbreakable Enterprise Kernel text into BLS config file [Orabug: 29417955] -- Put "with" in menuentry instead of "using" [Orabug: 18504756] -- Use different titles for UEK and RHCK kernels [Orabug: 18504756] - * Tue Mar 03 2026 Nicolas Frayer - 2.12-29.2 - Try to get gating tests running via fmf/tmt - Resolves: #RHEL-152849 diff --git a/sbat.csv.in b/sbat.csv.in old mode 100644 new mode 100755 index 9a1d304..a0c77de --- a/sbat.csv.in +++ b/sbat.csv.in @@ -1,5 +1,4 @@ sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md -grub,5,Free Software Foundation,grub,@@VERSION@@,https://www.gnu.org/software/grub/ +grub,5,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/ grub.rh,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com grub.centos,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com -grub.ol10,3,Oracle Linux,grub2,@@VERSION@@,mail:secalert_us@oracle.com \ No newline at end of file