ppc/mkimage/appendedsig: Upstream code sync for alignment and sbat

Related: #RHEL-24742
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>

0534-util-grub-mkimagexx-Stop-generating-unaligned-append.patch

@@ -0,0 +1,81 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
+Date: Fri, 2 Jan 2026 16:13:13 +0530
+Subject: [PATCH] util/grub-mkimagexx: Stop generating unaligned appended
+ signatures
+
+When creating the core image with an unaligned appended signature size,
+e.g. 479, for PowerPC, the grub-mkimage aligns the appended signature
+size to a multiple of 4 bytes, but it does not add a padding needed to
+align to multiple of 4 bytes appended signature size in the appended
+signature ELF note. Therefore, after signing and installing this core
+image, the firmware tries to read the magic string "~Module signature
+appended~" from the appended signature ELF note but gets the partial
+magic string like "Module signature appended~". It leads to the appended
+signature magic string match failure.
+
+Example:
+  grub-mkimage -O powerpc-ieee1275 -o core.elf -p /grub -x \
+    kernel.der --appended-signature-size 479 ...
+
+  sign-file SHA256 ./grub.key ./grub.pem ./core.elf ./core.elf.signed
+
+Without padding: hexdump -C ./core.elf.signed
+  ...
+  00383550  00 00 00 13 00 00 01 e0  41 53 69 67 41 70 70 65  |........ASigAppe|
+  00383560  6e 64 65 64 2d 53 69 67  6e 61 74 75 72 65 00 00  |nded-Signature..|
+  ...
+  003836f0  dd 47 cd ed 02 8e 15 af  5b 09 2e 44 6f da 67 88  |.G......[..Do.g.|
+  00383700  4d 94 17 31 26 9d 47 95  d8 7c ad 36 00 d2 9c 53  |M..1&.G..|.6...S|
+  00383710  20 e0 af 60 78 cd 22 e6  ed 45 1e b1 e7 7e cf b5  | ..`x."..E...~..|
+  00383720  fc 58 ec df 1b ab 7a 00  00 02 00 00 00 00 00 00  |.X....z.........|
+  00383730  00 01 b7 7e 4d 6f 64 75  6c 65 20 73 69 67 6e 61  |...~Module signa|
+  00383740  74 75 72 65 20 61 70 70  65 6e 64 65 64 7e 0a     |ture appended~.|
+
+Fix this by adding a padding required to align appended signature size in the
+appended signature ELF note to multiple of 4 bytes.
+
+Example:
+  grub-mkimage -O powerpc-ieee1275 -o core.elf -p /grub -x \
+    kernel.der --appended-signature-size 479 ...
+
+  sign-file SHA256 ./grub.key ./grub.pem ./core.elf ./core.elf.signed
+
+With padding: hexdump -C ./core.elf.signed
+  ...
+  00137460  62 00 00 00 00 00 00 13  00 00 01 ec 41 53 69 67  |b...........ASig|
+  00137470  41 70 70 65 6e 64 65 64  2d 53 69 67 6e 61 74 75  |Appended-Signatu|
+  ...
+  00137610  b7 07 cd b6 c8 ca 9a 5b  7c 13 8c 75 1d 1c 54 81  |.......[|..u..T.|
+  00137620  7f c4 9a 8b bd d7 73 8d  2f 7d d2 e6 d1 3c 52 a9  |......s./}...<R.|
+  00137630  4e 0b e5 24 ba 0a 82 aa  8e c5 86 fa e1 19 50 ec  |N..$..........P.|
+  00137640  9f a7 9a ed e5 ed 13 35  00 00 02 00 00 00 00 00  |.......5........|
+  00137650  00 00 01 c2 7e 4d 6f 64  75 6c 65 20 73 69 67 6e  |....~Module sign|
+  00137660  61 74 75 72 65 20 61 70  70 65 6e 64 65 64 7e 0a  |ature appended~.|
+
+Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ util/grub-mkimagexx.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
+index 0eb1c3fe88c5..7fb5705675a7 100644
+--- a/util/grub-mkimagexx.c
++++ b/util/grub-mkimagexx.c
+@@ -247,13 +247,8 @@ SUFFIX (grub_mkimage_generate_elf) (const struct grub_install_image_target_desc
+   if (appsig_size)
+     {
+       phnum++;
+-      /*
+-       * Rounds a appended signature size + appended signature note size up to
+-       * the nearest multiple of a 4-byte alignment.
+-       */
+-      footer_size += ALIGN_UP (sizeof (struct grub_appended_signature_note) + appsig_size, 4);
+-      /* Truncating to appended signature size. */
+-      footer_size -= appsig_size;
++      footer_size += ALIGN_UP (sizeof (struct grub_appended_signature_note), 4);
++      footer_size += ALIGN_UP_OVERHEAD (appsig_size, 4);
+     }
+ 
+   if (image_target->id != IMAGE_LOONGSON_ELF)

0535-grub-mkimage-Do-not-generate-empty-SBAT-metadata.patch

@@ -0,0 +1,61 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
+Date: Wed, 24 Dec 2025 17:58:59 +0530
+Subject: [PATCH] grub-mkimage: Do not generate empty SBAT metadata
+
+When creating core.elf with SBAT the grub-mkimage does not check if
+an SBAT metadata file contains at least an SBAT header or not. It leads to
+adding an empty SBAT ELF note for PowerPC and the .sbat section for EFI.
+Fix this by checking the SBAT metadata file size against the SBAT header
+size before adding SBAT contents to the ELF note or .sbat section.
+
+Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ util/mkimage.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/util/mkimage.c b/util/mkimage.c
+index 004e71182afb..e9c0adb90490 100644
+--- a/util/mkimage.c
++++ b/util/mkimage.c
+@@ -56,6 +56,9 @@
+ 
+ #pragma GCC diagnostic ignored "-Wcast-align"
+ 
++#define SBAT_HEADER      "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md"
++#define SBAT_HEADER_SIZE (sizeof (SBAT_HEADER))
++
+ #define TARGET_NO_FIELD 0xffffffff
+ 
+ /* use 2015-01-01T00:00:00+0000 as a stock timestamp */
+@@ -948,6 +951,12 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ 
+   if (sbat_path != NULL && (image_target->id != IMAGE_EFI && image_target->id != IMAGE_PPC))
+     grub_util_error (_("SBAT data can be added only to EFI or powerpc-ieee1275 images"));
++  else if (sbat_path != NULL)
++    {
++      sbat_size = grub_util_get_image_size (sbat_path);
++      if (sbat_size < SBAT_HEADER_SIZE)
++        grub_util_error (_("%s file should contain at least an SBAT header"), sbat_path);
++    }
+ 
+   if (appsig_size != 0 && image_target->id != IMAGE_PPC)
+     grub_util_error (_("appended signature can be support only to powerpc-ieee1275 images"));
+@@ -1382,7 +1391,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ 
+ 	if (sbat_path != NULL)
+ 	  {
+-	    sbat_size = ALIGN_ADDR (grub_util_get_image_size (sbat_path));
++	    sbat_size = ALIGN_ADDR (sbat_size);
+ 	    sbat_size = ALIGN_UP (sbat_size, GRUB_PE32_FILE_ALIGNMENT);
+ 	  }
+ 
+@@ -1822,7 +1831,6 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ 	char *sbat = NULL;
+ 	if (sbat_path != NULL)
+ 	  {
+-	    sbat_size = grub_util_get_image_size (sbat_path);
+ 	    sbat = xmalloc (sbat_size);
+ 	    grub_util_load_image (sbat_path, sbat);
+ 	    layout.sbat_size = sbat_size;

grub.patches

@@ -530,3 +530,5 @@ Patch0530: 0530-normal-main-Unregister-commands-on-module-unload.patch
 Patch0531: 0531-tests-lib-functional_test-Unregister-commands-on-mod.patch
 Patch0532: 0532-commands-usbtest-Use-correct-string-length-field.patch
 Patch0533: 0533-commands-usbtest-Ensure-string-length-is-sufficient-.patch
+Patch0534: 0534-util-grub-mkimagexx-Stop-generating-unaligned-append.patch
+Patch0535: 0535-grub-mkimage-Do-not-generate-empty-SBAT-metadata.patch

grub2.spec

@@ -16,7 +16,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.06
-Release:	122%{?dist}
+Release:	123%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@@ -538,6 +538,10 @@ fi
 %endif
 
 %changelog
+* Fri Feb 06 2026 Nicolas Frayer <nfrayer@redhat.com> 2.06-123
+- ppc/mkimage/appendedsig: Upstream code sync for alignment and sbat
+- Related: #RHEL-24742
+
 * Wed Feb 04 2026 Nicolas Frayer <nfrayer@redhat.com> 2.06-122
 - Fix several security issues about module unloading and file handling
 - Resolved: #RHEL-141594