From dcbd1694a56a3580cf9784a721802c061f33e305 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 1 Mar 2022 07:59:15 -0500
Subject: [PATCH] import grub2-2.06-23.el9

---
 ...-mkconfig-restore-umask-for-grub.cfg.patch |  41 +++++++++
 SOURCES/99-grub-mkconfig.install              |   7 +-
 SOURCES/grub.macros                           |  78 +++-------------
 SOURCES/grub.patches                          |   1 +
 SOURCES/redhatsecureboot301.cer               | Bin 839 -> 0 bytes
 SOURCES/redhatsecureboot303.cer               | Bin 899 -> 0 bytes
 SOURCES/redhatsecureboot502.cer               | Bin 964 -> 0 bytes
 SOURCES/redhatsecureboot601.cer               | Bin 916 -> 0 bytes
 SOURCES/redhatsecurebootca3.cer               | Bin 977 -> 0 bytes
 SOURCES/redhatsecurebootca5.cer               | Bin 920 -> 0 bytes
 SPECS/grub2.spec                              |  87 ++++++++++--------
 11 files changed, 108 insertions(+), 106 deletions(-)
 create mode 100644 SOURCES/0224-grub-mkconfig-restore-umask-for-grub.cfg.patch
 mode change 100644 => 100755 SOURCES/grub.macros
 delete mode 100644 SOURCES/redhatsecureboot301.cer
 delete mode 100644 SOURCES/redhatsecureboot303.cer
 delete mode 100644 SOURCES/redhatsecureboot502.cer
 delete mode 100644 SOURCES/redhatsecureboot601.cer
 delete mode 100644 SOURCES/redhatsecurebootca3.cer
 delete mode 100644 SOURCES/redhatsecurebootca5.cer

diff --git a/SOURCES/0224-grub-mkconfig-restore-umask-for-grub.cfg.patch b/SOURCES/0224-grub-mkconfig-restore-umask-for-grub.cfg.patch
new file mode 100644
index 0000000..bd1bd0c
--- /dev/null
+++ b/SOURCES/0224-grub-mkconfig-restore-umask-for-grub.cfg.patch
@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Michael Chang via Grub-devel <grub-devel@gnu.org>
+Date: Fri, 3 Dec 2021 16:13:28 +0800
+Subject: [PATCH] grub-mkconfig: restore umask for grub.cfg
+
+Since commit:
+
+  ab2e53c8a grub-mkconfig: Honor a symlink when generating configuration
+by grub-mkconfig
+
+has inadvertently discarded umask for creating grub.cfg in the process
+of grub-mkconfig. The resulting wrong permission (0644) would allow
+unprivileged users to read grub's configuration file content. This
+presents a low confidentiality risk as grub.cfg may contain non-secured
+plain-text passwords.
+
+This patch restores the missing umask and set the file mode of creation
+to 0600 preventing unprivileged access.
+
+Fixes: CVE-2021-3981
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+(cherry picked from commit 2acad06610da1488bfa387f56a847119ab758766)
+---
+ util/grub-mkconfig.in | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
+index f55339a3f64..520a672cd2c 100644
+--- a/util/grub-mkconfig.in
++++ b/util/grub-mkconfig.in
+@@ -311,7 +311,9 @@ and /etc/grub.d/* files or please file a bug report with
+     exit 1
+   else
+     # none of the children aborted with error, install the new grub.cfg
++    oldumask=$(umask); umask 077
+     cat ${grub_cfg}.new > ${grub_cfg}
++    umask $oldumask
+     rm -f ${grub_cfg}.new
+   fi
+ fi
diff --git a/SOURCES/99-grub-mkconfig.install b/SOURCES/99-grub-mkconfig.install
index d9686b5..2c7faad 100755
--- a/SOURCES/99-grub-mkconfig.install
+++ b/SOURCES/99-grub-mkconfig.install
@@ -40,14 +40,17 @@ if [[ $DISABLE_BLS = "true" ]]; then
     fi
 fi
 
+[ -f /etc/default/grub ] && . /etc/default/grub
+if [ x$GRUB_ENABLE_BLSCFG = xfalse ]; then
+   RUN_MKCONFIG=true
+fi
+
 # A traditional grub configuration file needs to be generated only in the case when
 # the bootloaders are not capable of populating a menu entry from the BLS fragments.
 if [[ $RUN_MKCONFIG != "true" ]]; then
     exit 0
 fi
 
-[[ -f /etc/default/grub ]] && . /etc/default/grub
-
 COMMAND="$1"
 
 case "$COMMAND" in
diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros
old mode 100644
new mode 100755
index 168223f..cd8b7d2
--- a/SOURCES/grub.macros
+++ b/SOURCES/grub.macros
@@ -68,7 +68,6 @@
 %global efi_target_ldflags %{expand:%%(echo %{target_ldflags})}
 
 %global with_efi_arch 0
-%global with_alt_efi_arch 0
 %global with_legacy_arch 0
 %global with_emu_arch 1
 %global emuarch %{_arch}
@@ -154,19 +153,6 @@
 %global legacy_target_cpu_name i386
 %global legacy_package_arch pc
 %global platform pc
-
-%global alt_efi_arch ia32
-%global alt_target_cpu_name i386
-%global alt_grub_target_name i386-efi
-%global alt_platform efi
-%global alt_package_arch efi-ia32
-
-%global alt_efi_host_cflags %{expand:%%(echo %{efi_host_cflags})}
-%global alt_efi_target_cflags					\\\
-	%{expand:%%(echo %{target_cflags} |			\\\
-	%{cflags_sed}						\\\
-		-e 's/-m64//g'					\\\
-	)}
 %endif
 
 %ifarch aarch64
@@ -200,7 +186,6 @@
 %endif
 
 %global _target_platform %{target_cpu_name}-%{_vendor}-%{_target_os}%{?_gnu}
-%global _alt_target_platform %{alt_target_cpu_name}-%{_vendor}-%{_target_os}%{?_gnu}
 
 %ifarch %{efi_arch}
 %global with_efi_arch 1
@@ -216,13 +201,6 @@
 %endif
 %endif
 
-%if 0%{?alt_efi_arch:1}
-%global with_alt_efi_arch 1
-%global grubaltefiname grub%{alt_efi_arch}.efi
-%global grubalteficdname gcd%{alt_efi_arch}.efi
-%global grubaltefiarch %{alt_target_cpu_name}-efi
-%endif
-
 %ifnarch %{efi_only}
 %global with_legacy_arch 1
 %global grublegacyarch %{legacy_target_cpu_name}-%{platform}
@@ -416,11 +394,8 @@ rm -f %{1}.conf							\
 	${GRUB_MODULES}						\
 %{expand:%%define ___pesign_client_cert %{?___pesign_client_cert}%{!?___pesign_client_cert:%{__pesign_client_cert}}} \
 %{?__pesign_client_cert:%{expand:%%define __pesign_client_cert %{___pesign_client_cert}}} \
-%{expand:%%{pesign -s -i %%{2}.orig -o %%{2}.onesig -a %%{5} -c %%{6} -n %%{7}}}	\
-%{expand:%%{pesign -s -i %%{3}.orig -o %%{3}.onesig -a %%{5} -c %%{6} -n %%{7}}}	\
-%{expand:%%define __pesign_client_cert %{name}-signer} \
-%{expand:%%{pesign -s -i %%{2}.onesig -o %%{2} -a %%{8} -c %%{9} -n %%{10}}}	\
-%{expand:%%{pesign -s -i %%{3}.onesig -o %%{3} -a %%{8} -c %%{9} -n %%{10}}}	\
+%{expand:%%{pesign -s -i %%{2}.orig -o %%{2} -a %%{5} -c %%{6} -n %%{7}}}	\
+%{expand:%%{pesign -s -i %%{3}.orig -o %%{3} -a %%{5} -c %%{6} -n %%{7}}}	\
 %{nil}
 %else
 %define efi_mkimage()						\
@@ -438,7 +413,7 @@ rm -f %{1}.conf							\
 APPENDED_SIG_SIZE=0						\
 if [ -x /usr/bin/rpm-sign ]; then				\
 	touch empty.unsigned					\
-	rpm-sign --key %{5}					\\\
+	rpm-sign --key %{4}					\\\
 		 --lkmsign empty.unsigned			\\\
 		 --output empty.signed				\
 	APPENDED_SIG_SIZE="$(stat -c '%s' empty.signed)"	\
@@ -447,12 +422,12 @@ fi								\
 # FIXME: using this prefix is fragile, must be done properly	\
 ./grub-mkimage -O %{1} -o %{2}.orig				\\\
 	-p '/grub2' -d grub-core				\\\
-	-x %{3} -x %{4}						\\\
+	-x %{3}							\\\
 	--appended-signature-size ${APPENDED_SIG_SIZE}		\\\
 	${GRUB_MODULES}						\
 if [ -x /usr/bin/rpm-sign ]; then				\
 	truncate -s -${APPENDED_SIG_SIZE} %{2}.orig		\
-	rpm-sign --key %{5}					\\\
+	rpm-sign --key %{4}					\\\
 		 --lkmsign %{2}.orig				\\\
 		 --output %{2}					\
 else								\
@@ -468,12 +443,12 @@ GRUB_MODULES+=%{platform_modules}				\
 %{expand:%%{efi_mkimage %{1} %{2} %{3} %{4} %{5} %{6} %{7} %{8} %{9} %{10}}}	\
 %{nil}
 
-%define do_ieee1275_build_images()				\
-GRUB_MODULES+=%{grub_modules}					\
-GRUB_MODULES+=%{platform_modules}				\
-cd grub-%{1}-%{tarversion}					\
-%{expand:%%ieee1275_mkimage %%{1} %%{2} %%{3} %%{4} %%{5}}	\
-cd ..								\
+%define do_ieee1275_build_images()			\
+GRUB_MODULES+=%{grub_modules}				\
+GRUB_MODULES+=%{platform_modules}			\
+cd grub-%{1}-%{tarversion}				\
+%{expand:%%ieee1275_mkimage %%{1} %%{2} %%{3} %%{4}}	\
+cd ..							\
 %{nil}
 
 %define do_primary_efi_build()					\
@@ -484,15 +459,6 @@ cd grub-%{1}-%{tarversion}					\
 cd ..								\
 %{nil}
 
-%define do_alt_efi_build()					\
-cd grub-%{1}-%{tarversion}					\
-%{expand:%%do_efi_configure %%{4} %%{5} %%{6}}			\
-%do_efi_build_modules						\
-%{expand:%%do_efi_link_utils %{grubefiarch}}			\
-%{expand:%%do_efi_build_images %{alt_grub_target_name} %{2} %{3} ../grub-%{grubefiarch}-%{tarversion}/ %{7} %{8} %{9} %{10} %{11} %{12}} \
-cd ..								\
-%{nil}
-
 %define do_legacy_build()					\
 cd grub-%{1}-%{tarversion}					\
 %configure							\\\
@@ -534,26 +500,6 @@ make %{?_smp_mflags} -C grub-core				\
 cd ..								\
 %{nil}
 
-%define do_alt_efi_install()					\
-cd grub-%{1}-%{tarversion}					\
-install -d -m 755 $RPM_BUILD_ROOT/usr/lib/grub/%{grubaltefiarch}/ \
-find . '(' -iname gdb_grub					\\\
-	-o -iname kernel.exec					\\\
-	-o -iname kernel.img					\\\
-	-o -iname config.h					\\\
-	-o -iname gmodule.pl					\\\
-	-o -iname modinfo.sh					\\\
-	-o -iname '*.lst'					\\\
-	-o -iname '*.mod'					\\\
-	')'							\\\
-	-exec cp {} $RPM_BUILD_ROOT/usr/lib/grub/%{grubaltefiarch}/ \\\; \
-find $RPM_BUILD_ROOT -type f -iname "*.mod*" -exec chmod a-x {} '\;'	\
-install -m 700 %{2} $RPM_BUILD_ROOT%{efi_esp_dir}/%{2}	\
-install -m 700 %{3} $RPM_BUILD_ROOT%{efi_esp_dir}/%{3} \
-%{expand:%%do_install_protected_file %{name}-%{alt_package_arch}} \
-cd ..								\
-%{nil}
-
 %define do_efi_install()					\
 cd grub-%{1}-%{tarversion}					\
 make DESTDIR=$RPM_BUILD_ROOT install				\
@@ -595,7 +541,7 @@ if [ -f $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/%{name}.chrp ]; then \
 	mv $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/%{name}.chrp	\\\
 	   $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/%{name}.chrp	\
 fi								\
-if [ %{3} -eq 0 ]; then						\
+if [ %{2} -eq 0 ]; then						\
 	${RPM_BUILD_ROOT}/%{_bindir}/%{name}-editenv		\\\
 		${RPM_BUILD_ROOT}/boot/%{name}/grubenv create	\
 fi								\
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index 0d1e9c7..694f9b7 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -221,3 +221,4 @@ Patch0220: 0220-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch
 Patch0221: 0221-fs-xfs-Fix-unreadable-filesystem-with-v4-superblock.patch
 Patch0222: 0222-Print-module-name-on-license-check-failure.patch
 Patch0223: 0223-powerpc-ieee1275-load-grub-at-4MB-not-2MB.patch
+Patch0224: 0224-grub-mkconfig-restore-umask-for-grub.cfg.patch
diff --git a/SOURCES/redhatsecureboot301.cer b/SOURCES/redhatsecureboot301.cer
deleted file mode 100644
index 4ff8b79e6736e566dbf39603e0887a53345aa4e4..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 839
zcmXqLVs<uYV$xo~%*4pV#L4h}zvyHQr&Ia{ylk9WZ60mkc^MhGSs4s`4b=@)*_cCF
zn1$tnQd1N>5=#_<Q<F=JQWc!?^Gg&ooE;UiQ!5n=H4T*v6ySO}8O4N)Q<D>OQj1C)
zic(WD5=-=w^K%X4#CZ)(42%qc(A3<>AWEFq*xbO#zzobaj4}u^)G^S4Sf`BDy5h|A
zyv)3GQtWJER6_O@BP#=Q6C*!^K@%evQxhX2!zT5vqmx`?o`(oz{$eeCezR_cLPyl%
zHpef<Z?c)s9bV+G*2GY{zUlen&--<nt5(QI#He!|D#@MA6@S7f!DrgWI=@zC&C^a<
zS^NJVseCT_+kC+hmfzF#Tx_$BdDsQaxH<oTd&Lst*YdY!eYroouj_1-&+(6kqHpHi
znY}t@nRQ&w=1_h6OY<eQl|Q`<JrTM7n!i`t_o#KdW$w9@pD!~JJ80ql!v4;Yj`D4+
zCJ#<$T1i;hJiEmZa%<xJ%U=UFoRVA<Io&opOJuT!pLNleeH**jw6<(2uj!q8$Hi$^
z<>qUbuO&%O^nA}y6#9BjM%~U7Q(5kw6_YN1epR)|xb9Elg4_B`%!~|-ixmyz4P=2K
zFU!Xw#v&5#_@80Rp3FS`6#W&an$HJBb(91l2O=<O00WVcA<H>d+v%~@6}B_2%&Mg`
zDvt6_STWb-ZhXD^RgaJz3Cq5o4B43+oEZD&XVQnj{jXOGHfUJJB>qmC?A`ut>Ahpw
zdM-|DZzz7Yc^I3-u|J*vqdKqQ`kIF?LJd~2r8XOg&f%Z+Yj((@r{(*;Y?_w8rSDJJ
zntk_K74NJ(drfx5hIZaKImf>p{fSPd=}qfHlV8OA-0dHz$M#&#on!XF_3NjY{(Hxy
zbKN4k{8NvC{Y9;Yo!51>R!)l5n2-{5CgAUe(k!NLc|1u*B2w==ttY-NzWb+N=75O&
zzv2uf{%c3S9%5x`<-dQv`g=w9>l=;D-vz#WO}UeuefPU1`=|Tw9$I=mIi&>vg+x|L

diff --git a/SOURCES/redhatsecureboot303.cer b/SOURCES/redhatsecureboot303.cer
deleted file mode 100644
index 2c0087dbc5da376aef641bb23833401857c34940..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 899
zcmXqLVy-u6VoG1Y%*4pV#L4h}zvyHQr&GoTylk9WZ60mkc^MhGSs4s`4b=@)*_cCF
zn1$tnQd1N>5=#_<Q<F=JQWc!?^Gg&ooE;UiQ!5n=H4T*v6ySO}8O4N)Q<D>OQj1C)
zic(WD5=-=w^K%X4#CZ)Z4a^Ko3@l8IOe~_rd5tX$3=NE+T!SD(9Rn?}bv(*gtt-w<
z&&$k92is{(oSjXKO31!qWMyD(V&rEqXkz4IYGPz$II>2G|M$FqPFt5GY@Z}j_wdcG
z>qlNkR*SLi2#vh>#O(I_Wno7c`4SC2=y=Zd`<9;a@{@2)?V*sz8{HTFd-E&#gtt#;
zUgHuWz1pJ-y#K9{o_n?Q@4oA|9nu>-nGU?#lm1zM!m(4+W^!G6o63L4^zhgAs4rhs
zUmj^WrxfJ3J}dJe<Dc}nCudJ)I|%ICUc$0|l4VKV<)!QXX8vMYZs05^CAi|uwe8y(
zzf3yt#&ze-UG}r=x34l;oR|~&c16XPw8z(b-ktK~6HdDyW3Xaoq-$ol=qYtAdwFfa
zrk9_$Zrjt!J?orJl5OzE*M;0|3fkxV-~H@5v&}eMMnlMYwTI3vzvrq4nV1<F7#GJH
zL>uq`Lta*xk?}tZlL3PPH;Bj2!otkN-e4dL;_$JEv50IdKm9LW&^Yn$5_R6=HKv!R
z$vZ?D$b+PnStJa^8bln#TEtw=Sv9h7u(GGU__1hC>W>)Y2mmH4U<5ES#PkO5sC<9x
z!JKt`$32eKDcv>kntnv_@NIu_U*Q=Xk1EvP<=w1`yP>!G=8u`mTv|szZevQCch1^&
z!q2ncK3iyARETApaF1br*%L8#fw_eaRczCW1C=8SIyp9OHWxSD>F|+J;%msh6TGS4
z7i9eW_V~}UtyNmb|NVAU_`StO+3?O0&CipWay2jh-RRBjrY}Bi{e-UnA#J9g_4+s?
zD*o^EabCXQ^?4Wm+_igF-`xN2a7LS$!jkBBmcGB8+wcBUs^a;5FNJd^r+L3*+)39L
zjQ8{>JTSZxpz7w(F!4!Co|pZnnG+e$u$S(t-F5BW&3P{?riLzZE|e}c7rGqT{#S2(
H=YvQ9de&%$

diff --git a/SOURCES/redhatsecureboot502.cer b/SOURCES/redhatsecureboot502.cer
deleted file mode 100644
index be0b5e211ccf8ad7ba74c88841c921cfdbad5a70..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 964
zcmXqLVm@Hd#I#}oGZP~d6DPygP|MB7r^(JU;AP{~YV&CO&dbQi&B|a9ZzyIU!p0oR
z!o|ZIl$xU8kyxUm;F*`KXQ*f(4-#kQk${RT1g9pK7NsgU<>!|uI6Eqs8Y&qmz)j<1
z6ca8^O-{^7Eh=#+N=?Z~EYVBO&oz(}=QT1gFf*_;G%zqQGL91GHMTG?G_-(n4bpHr
zK*K-{;sAMU4hYUn&&$k9S1>g&BFY_2j7rFUXJlnyZerwTFlb`rVrpV!WVlw+5~fxp
zlC4%={*<NvQsus-r~Yg1@p5qqe79!uk<)fOw;HVKIWJya>?v=&XRBAh?w3|ekJhoz
zKe*}Ss+-Dp3y#N}_#^e|W8doa9aT(wxO?y2p89Cbu3Q!=zP!k}$2XsU9VoV!m$7=u
zaXE&jl}!J>*zj`9usQhLT4_#)+wqRaoS&{Uz0p%LI=p$>w%yj@jOK-#m#OZnogtKa
zXx0-|7pa7a%Pt;nc|B=yqk7|#ij=DjlCF{bKHcw(tDZ=IoA@v;?(+N1K5vh6$0wbX
zowLen&AF!%E3#rkR^7F4a=E#$<Lte~;r6-RonPi2D4h6yj=rCI?f0!$LzQJ-3qP4|
zcsb2Co{5=}fpKw#L74#$Fw|v*85#exFc~ly@PT;zARY@d6MKV!7>KV5;`11Av2kd#
zF|x9<Gcy~=g2ee)#8^ZYxED2D?Ra@q|J(Po({}JK7pj{P3r<V2$}AEFVhti^@|Ql>
z$k^rSH+lBn4DN|8WwYk@BgYLeT>|5Vkzw{Ng<BH>ZMQ5DIkiD~`h}y9{<=D~#ILx2
z<i|-9w!N!%#admPn;Oaa^dKXfa;PP<#mXIDPKxSHZoFH(ZcE?=o#X7jLGH8j&MMv4
zek|8}`lJ3n-xq=#{eDgKyXxP$$z^u_-&+i-{^y#G)Y?p5DKcZVULmK^Y~$&2lQ)<g
zWUBly_fP9_rTDPTks+z7l}iGDnH+g_H;*q{maXmk9J{YdV%a`7Cb1`<c3o;UG2iuT
z;OtXrfpc69HdVi7U3z(mDCdEBS4}w9cRw@AdN_OA>!|e$CoGxy;)T!q_Y)P}vi)7|
puC*wrU@|^yJWH`pNJ3}E-0bhMGuf{5G|c)nwXm(hxVvuYUH~CAajXCU

diff --git a/SOURCES/redhatsecureboot601.cer b/SOURCES/redhatsecureboot601.cer
deleted file mode 100644
index c92b96b4e0d360b90333361ea61f565f196ea20e..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 916
zcmXqLVxC~o#8k0>nTe5!iId^-97p53+3_w0ylk9WZ60mkc^MhGSs4u64HXUK*_cCF
zn0X|EQd1N>5=#_<Q<F=JQWc!?^Gg(*9Tm(Bl?)W%x;Podgo{&?6LV6FN*sz(Q!)}u
z^pf*)4dldmjSLNp3{4G<O)X6fqr`cQEes3|&7oWaKSK=zHHby>*enXpOwY^AOII)h
zY9hwICPpP>zc8{gFgG#sGZ-{6axpbAGBQki!xdZoCRX_S>dV}-BbKHWadCWS=ictf
zX!LID`KNZP*Y{*9L|<Gk!r8nosN0qMt=8J-5BS8F)UdvO(^wi?{A?-DrAkkZBRReX
zilHCg{uJ^pwEE1O*W0^-(WLv<9lJF9S97ADG8BKQ{@|Fb(A50whvmn+X&bUko@<Em
zF)r-3-u6J$U;FJFqYpB3V|)5_@2~DlUikM@o)!D5v+J#vELV|=uhrlAEt2VC%guj&
zNiQ;trx|**OcL1jd!`286otR+&$jt0ws!Q#H=p_?`g`rpx9{^fwtkR2X?-op#iKEO
zo7$64u4=o4R06_k{yJS;9`#L4Y(u1SZ1=}UM<YLZUNz=qVrFDuTwGyLX21gsby;CX
z#{Vo#1`Gy#ARa%6$HL6S-e4dG;;VxAJO*5B9NKJ*tgP(J%m%U`aXuC?77>}%3_emT
z=3e&*+PO}C!>cFT-x<CDrx{sg76}8f29Xz8GOKkwekPbL`cU0>Y3>#+jTtA9;|7?{
zfN{gfkisa`?6XkHTKh%6xuB-@a@A8u|2@AV?)Y1R|85iijb|M5C)`>v`vA}W<Uon^
z%+qX<>wb4kOkuKYkrH2^@l99De!}lh|79J&NCf?#_qJr(?s~t*IWParC|#~@c<c1d
zaO>mCKBc#uW$e87pz^*}ZFcLToW*~c?muOF`th~C<fVn4-;e#aGMV<!P3qyv+W!qJ
z7kg}t-kE*0y6MG)&gws#A6m5hanj0RSbD5k?}uo~riOa=eW}sgU!L4QMRke(zZ1_c
zANRK1HbuJP_QTC;kL-iDr#!s3>a6;MkH0u8E;ZRmJw4GFuw<f!riA3C9%b*}88=1j
Vi+z1RJ`H>Hdd(wk|9y*>0095ZYghmP

diff --git a/SOURCES/redhatsecurebootca3.cer b/SOURCES/redhatsecurebootca3.cer
deleted file mode 100644
index b2354007b9668258683b99a68fa5bdd3067c31b1..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 977
zcmXqLVm@oo#I$t*GZP~d6DPykKFO2}lmD>>ylk9WZ60mkc^MhGSs4s`4b=@)*_cCF
zn1$tnQd1N>5=#_<Q<F=JQWc!?^Gg&ooE;UiQ!5n=H4T*v6ySO}8O4N)Q<D>OQj1C)
zic(WD5=-=w^K%X4#CZ)(42%qc(8R>VG)kP;*xbO#zzoWzwslR6O2{5!WMyD(V&rEq
zXkz4IYGPz$nC+~<?2{)QQnbB!-tOilfvp!W+5DVoSG#L+<>vi6EDouC4!V-;tv&JA
zN}nf->iaHo2tM8rAb&8=Njdj{a^${=Z?aE)&k<1VH{Q3Wx7jKD-_5CYum4K4d~JV`
z`ccOE*<7!m22LI4&u3g0F3h!NN?ysm?c*7~^lIfF3D-Xhnr_&uU!bJ$?ZS8WW+A0-
zr9raw{Iep~On)hDAUrqc*pZy>@YoE^;z#ABPp))utMY{K9XOZuN+87Vv97^}gccFK
z6&c%&T=rzVyKuJ1S>c?R<K#PxtGGq~?cMg~=gYe$SJ$!S^;`(O<ep~wX+Qso!rIJ(
zZL23GL@b?{ZqYAz@%i~&roT+gj0}v68`m2&t}&1W#<DCQix`WDgIJ50%Q>q?77kYS
zv==`X%}M<cV^9l{R%R(PC~3f|U}4}Ae=0{`6H>C|0a-81!fL?G$oL;QPJxLO7^jR3
zp{b9(0{X(lQ;+K%h_CKtxc%nd+9kH!CBia&JkgcqO9LvF9(I1~^2+p(_fBqs&+@+g
zjZG)^b(y8?lr#NV`RkoR|I-BpaSiJiPBV7drX0Bbe!0fPB95K&)ygj1YM5%bK;(6L
z=7Y@r2hM%A`uyr;o|A^(c{icYtu_B=WuE^MZ_<<d&TsQv+iB;vWxkm>i|1QMhsQHT
z<L>4}wg*#%C!d<*ePQAKPyWoS|9R;jPUx*P-5Ksuo_~6c3tyKHzf+y+r*{_;vOAw>
zmv4Wk&h*1hGe;ze)#t#BH;PsH)$e|FOmna8+@9jW!^ymRMf{q+C84h)mppfN*sxn6
NnfI|Q%N6m!6aeL$dME$@

diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer
deleted file mode 100644
index dfb0284954861282d1a0ce16c8c5cdc71c27659f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 920
zcmXqLVxD5q#8k6@nTe5!iIbtZm{+@~;bN2lFB_*;n@8JsUPeZ4RtAH3LoovpHs(+k
zE*{>X)D#7e#1b6^&%9(kLq!95kT^4s1XNrhI5oMnC{@8JKfgr5*-^pNP{}|6ZW<?}
zm~e4wa$-(uQHeuQYDz|8iC%Jku7R95uaSX)nSrH&g`ugjS(G@hv4w%5p#_vndj~Wz
zDj|ECk(GhDiIJbdpox)-sfm%1;oPoQj^Z+n3p+UXFTAqySFqmPd3*j?Ys@hSTEP8<
zf#2*zv*WjwCq+F|Q?70*n-_6VPwv(E$rjn}*LF=h`h($l`O@&r`;HrrOo-N1I9RfZ
zxvgQ_lF0WfJ6z&|9Ilj$E@Ww)^ZxU(`JeguueG>6NxP$#b?ru1p1aqn$3D)YB{Qqo
zjCvjz?|=HkE#3AN-xTZpws*U~)f@D<hHx*rr)(NEvzYZp!}C-TDRu*$;<gRCi<g-#
z^KFcsxIBILE9>Z{t~uwMZy8<;F%jD%$u6!n#qYzp^Sryh{C;x9qf@!N=T4ui@b#({
zSD&^p3kNZ=9lAQ9%xdfP9doNToV+k2^LHOF<JVRuW=00a#lZ%F2C~5TmgQp+V-Y!%
zzx26A#x764$+P!na8Gn8n>D{5oE&78StJa^8n7$i2k94PWc<&<YQPMnkb@nV)_}pz
z$RPVX&M7PHOp)E}n3L-lp9;}?o3i@APVs%}E9D|KM%wramRy`J6~x-Y+I90o>xr*#
z`sciS&XK#@>h!OC8{=mczNLHbADCJ+pE=-CsaDOF#s}?5Q)1qq&%R~#cz>QmiAiVx
zk5XXYstAL9d+iK-w@u$FES<YPN5Z<$i*sS8`10oxUvmRDUKTjPckPLhB$Kz)rb~A;
z7pqN`Wn_C2lv%-c*}%nRLuvV$khM?pl$8F*{-4ao^K*vP9Lw!IjTb)uU|-JJoj<4R
z;o3irGXj>ybMIPOFY~9lmn~9nUf%vMc88@((p0B(#qL+!COmt7`j5IhPVzo{cRPw}
Pd!}BnFF!b8N6JS4>O*3Z

diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
index f5ee3a2..7da6827 100644
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -14,7 +14,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.06
-Release:	16%{?dist}
+Release:	23%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@@ -32,29 +32,27 @@ Source9:	strtoull_test.c
 Source10:	20-grub.install
 Source11:	grub.patches
 Source12:	sbat.csv.in
-Source13:	redhatsecurebootca3.cer
-Source14:	redhatsecureboot301.cer
-Source15:	redhatsecurebootca5.cer
-Source16:	redhatsecureboot502.cer
-Source17:	redhatsecureboot303.cer
-Source18:	redhatsecureboot601.cer
 
 %include %{SOURCE1}
 
-%if 0%{with_efi_arch}
-%define old_sb_ca	%{SOURCE13}
-%define old_sb_cer	%{SOURCE14}
-%define old_sb_key	redhatsecureboot301
-%define sb_ca		%{SOURCE15}
-%define sb_cer		%{SOURCE16}
-%define sb_key		redhatsecureboot502
+%ifarch x86_64 aarch64 ppc64le
+%define sb_ca		%{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
+%define sb_cer		%{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer
 %endif
 
+%if 0%{?centos}
+%ifarch x86_64 aarch64 ppc64le
+%define sb_key		centossecureboot202
+%endif
+%else
+%ifarch x86_64 aarch64
+%define sb_key		redhatsecureboot502
+%endif
 %ifarch ppc64le
-%define old_sb_cer	%{SOURCE17}
-%define sb_cer		%{SOURCE18}
 %define sb_key		redhatsecureboot602
 %endif
+%endif
+
 
 BuildRequires:	gcc efi-srpm-macros
 BuildRequires:	flex bison binutils python3
@@ -72,6 +70,9 @@ BuildRequires:	systemd
 %ifarch %{efi_arch}
 BuildRequires:	pesign >= 0.99-8
 %endif
+%ifarch aarch64 ppc64le x86_64
+BuildRequires:	system-sb-certs
+%endif
 %if %{?_with_ccache: 1}%{?!_with_ccache: 0}
 BuildRequires:	ccache
 %endif
@@ -156,9 +157,6 @@ This subpackage provides tools for support of all platforms.
 %if 0%{with_efi_arch}
 %{expand:%define_efi_variant %%{package_arch} -o}
 %endif
-%if 0%{with_alt_efi_arch}
-%{expand:%define_efi_variant %%{alt_package_arch}}
-%endif
 %if 0%{with_legacy_arch}
 %{expand:%define_legacy_variant %%{legacy_package_arch}}
 %endif
@@ -191,12 +189,6 @@ sed -e "s,@@VERSION@@,%{version},g" -e "s,@@VERSION_RELEASE@@,%{version}-%{relea
     %{SOURCE12} > grub-%{grubefiarch}-%{tarversion}/sbat.csv
 git add grub-%{grubefiarch}-%{tarversion}
 %endif
-%if 0%{with_alt_efi_arch}
-mkdir grub-%{grubaltefiarch}-%{tarversion}
-grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grubaltefiarch}-%{tarversion}/.gitignore
-cp %{SOURCE4} grub-%{grubaltefiarch}-%{tarversion}/unifont.pcf.gz
-git add grub-%{grubaltefiarch}-%{tarversion}
-%endif
 %if 0%{with_legacy_arch}
 mkdir grub-%{grublegacyarch}-%{tarversion}
 grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grublegacyarch}-%{tarversion}/.gitignore
@@ -213,10 +205,7 @@ git commit -m "After making subdirs"
 
 %build
 %if 0%{with_efi_arch}
-%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{old_sb_ca} %{old_sb_cer} %{old_sb_key} %{sb_ca} %{sb_cer} %{sb_key}}
-%endif
-%if 0%{with_alt_efi_arch}
-%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{old_sb_ca} %{old_sb_cer} %{old_sb_key} %{sb_ca} %{sb_cer} %{sb_key}}
+%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{sb_ca} %{sb_cer} %{sb_key}}
 %endif
 %if 0%{with_legacy_arch}
 %{expand:%do_legacy_build %%{grublegacyarch}}
@@ -225,7 +214,7 @@ git commit -m "After making subdirs"
 %{expand:%do_emu_build}
 %endif
 %ifarch ppc64le
-%{expand:%do_ieee1275_build_images %%{grublegacyarch} %{grubelfname} %{old_sb_cer} %{sb_cer} %{sb_key}}
+%{expand:%do_ieee1275_build_images %%{grublegacyarch} %{grubelfname} %{sb_cer} %{sb_key}}
 %endif
 makeinfo --info --no-split -I docs -o docs/grub-dev.info \
 	docs/grub-dev.texi
@@ -244,11 +233,8 @@ rm -fr $RPM_BUILD_ROOT
 %if 0%{with_efi_arch}
 %{expand:%do_efi_install %%{grubefiarch} %%{grubefiname} %%{grubeficdname}}
 %endif
-%if 0%{with_alt_efi_arch}
-%{expand:%do_alt_efi_install %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname}}
-%endif
 %if 0%{with_legacy_arch}
-%{expand:%do_legacy_install %%{grublegacyarch} %%{alt_grub_target_name} 0%{with_efi_arch}}
+%{expand:%do_legacy_install %%{grublegacyarch} 0%{with_efi_arch}}
 %endif
 %if 0%{with_emu_arch}
 %{expand:%do_emu_install %%{package_arch}}
@@ -529,9 +515,6 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 %if 0%{with_efi_arch}
 %{expand:%define_efi_variant_files %%{package_arch} %%{grubefiname} %%{grubeficdname} %%{grubefiarch} %%{target_cpu_name} %%{grub_target_name}}
 %endif
-%if 0%{with_alt_efi_arch}
-%{expand:%define_efi_variant_files %%{alt_package_arch} %%{grubaltefiname} %%{grubalteficdname} %%{grubaltefiarch} %%{alt_target_cpu_name} %%{alt_grub_target_name}}
-%endif
 %if 0%{with_legacy_arch}
 %{expand:%define_legacy_variant_files %%{legacy_package_arch} %%{grublegacyarch}}
 %endif
@@ -547,7 +530,35 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 %endif
 
 %changelog
-* Tue Jan 04 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-16
+* Fri Feb 18 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-23
+- Re-arm GRUB_ENABLE_BLSCFG=false
+- Resolves: #2018331
+
+* Fri Feb 18 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-22
+- Stop building unsupported 32-bit UEFI stuff
+- Resolves: #2038401
+
+* Wed Feb 16 2022 Brian Stinson <bstinson@redhat.com> - 2.06-21
+- Require Secure Boot certs based on architecture
+- Resolves: #2049214
+
+* Wed Feb 16 2022 Brian Stinson <bstinson@redhat.com> - 2.06-20
+- Conditionalize Secure Boot settings per architecture
+- Resolves: #2049214
+
+* Wed Feb 16 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-19
+- Attempt to fix ppc64le signing bugs in previous change
+- Resolves: #2049214
+
+* Wed Feb 16 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-18
+- Switch to single-signing and use certs from package (bstinson)
+- Resolves: #2049214
+
+* Wed Feb 02 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-17
+- CVE-2021-3981 (Incorrect read permission in grub.cfg)
+- Resolves: rhbz#2030724
+
+* Tue Jan 04 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-16
 - Stop having this problem and just copy over the beta tree
 - Resolves: rhbz#2006784