Commit Graph

140 Commits

Author SHA1 Message Date
Nicolas Frayer
c4ea783e4d ieee1275/powerpc: implements fibre channel discovery for ofpathname
Resolves: #RHEL-53369

Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2026-06-18 11:21:26 +02:00
Nicolas Frayer
eb2783a08c CentOS: Sign grub with 802
Resolves: #RHEL-182487
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2026-06-05 15:29:05 +02:00
Josue Hernandez
e6d9060821 Change login error message
Login error message shows the line of code where it was called
which is not user friendly, This proposal adds better and more
human log messages when authentication fails

Resolves: #RHEL-180631

Signed-off-by: Josue Hernandez <josherna@redhat.com>
2026-06-02 11:49:01 -06:00
Josue Hernandez
1d3eeb3e18 kern/efi/mm: Change to keep track of map allocation size
Resolves: #RHEL-148310

Signed-off-by: Josue Hernandez <josherna@redhat.com>
2026-03-09 16:26:58 -06:00
Nicolas Frayer
e462386088 ppc64le/sbat: Add an sbat CSV file for ppc64le
Resolves: #RHEL-146555
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2026-03-05 15:23:30 +01:00
Nicolas Frayer
07dbf9d2b1 ppc64le: Pointing to the right cert after redhad-release change
Related: #RHEL-24742
Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2026-02-13 13:48:46 +01:00
Nicolas Frayer
f3ad4de544 ppc/mkimage/appendedsig: Upstream code sync for alignment and sbat
Related: #RHEL-24742
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2026-02-06 16:30:22 +01:00
Nicolas Frayer
3ffe88cd96 Fix several security issues about module unloading and file handling
Resolves: #RHEL-141594
Resolves: #CVE-2025-54771 #CVE-2025-61661
Resolves: #CVE-2025-61662 #CVE-2025-61663 #CVE-2025-61664
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2026-02-05 11:02:08 +01:00
Leo Sandoval
0d94677103 rpminspect: disable abidiff inspections
GRUB does not care about ABI changes between versions, e.g modules are
not intended to be loaded in different GRUB versions, thus abidiff
inspections are irrelevant.

Resolves: #RHEL-106446
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2025-12-08 11:43:45 -06:00
Nicolas Frayer
76c8afe3de appendedsig: Fix grub-mkimage with an unaligned appended signature size
Related: #RHEL-24742
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2025-12-03 13:01:57 +01:00
Nicolas Frayer
4fba475751 ieee1275: Upstream patches for appended signature support
Related: #RHEL-24742
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2025-11-28 11:27:32 +01:00
Leo Sandoval
167631343f spec: Update RHEL x86_64 and aarch64 signing key to redhatsecureboot802
Resolves: #RHEL-126136
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2025-11-04 09:28:23 -06:00
Leo Sandoval
34986e4f79 Rebuilt to sign grub with new key
Resolves: #RHEL-124983
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2025-10-31 08:39:17 -06:00
Leo Sandoval
5f95f2eaf5 Disable annobin stack protection check
Disable annobin stack check since grub's initialization code doesn't
support it.

Resolves: #RHEL-45712
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2025-10-29 10:31:11 -06:00
Leo Sandoval
58ea0e86c8 Fix the fallback mechanism when menu entries fail to boot
Resolves: RHEL-109456
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2025-09-08 14:43:06 -06:00
Leo Sandoval
5ce5f66d15 20-grub.install: Skip BLS removal when entry type is type2
UKI(package is kernel-uki-virt) is a single, bootable file that
bundles everything needed to start a Linux system. It contains its own
bootable stub and bypasses GRUB2 completely. The kernel-core and
kernel-uki-virt can coexist in one machine. And both of them call
kernel-install remove <kversion> upon package removal and this leads
to the complete removal of both the traditional kernel & its
artifacts(initramfs, BLS entry file,...). For example, if the customer
remove kernel-uki-virt, currently it also removes BLS entry which
causes the regular kernel fails to boot up. In
https://github.com/systemd/systemd/pull/37897 it added
--entry-type=type1|type2 option to kernel-install. type1 stands for
normal kernel, type2 stands for uki. When kernel-install is invoked
with --entry-type=type2 which is for UKI, we should not remove the BLS
entry.

Resolves: #RHEL-108008

Signed-off-by: Yuxin Sun <yuxisun@redhat.com>
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2025-08-29 11:15:35 -06:00
Nicolas Frayer
c2bd8ad3b7 sbat: add new sbat entry for centos
Resolves: #RHEL-108060
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2025-08-07 16:43:31 +02:00
Leo Sandoval
b6fea26353 Set correctly the memory attributes for the kernel PE sections
Resolves: #RHEL-106075
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2025-07-29 12:10:13 -06:00
Nicolas Frayer
f63b7984e5 spec/posttrans: move grub config stub creation out of spec
Resolves: #RHEL-69944
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2025-07-29 18:04:03 +02:00
Nicolas Frayer
3b726150c9 osdep/linux/getroot: Detect DDF container similar to IMSM
Resolves: #RHEL-44336
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2025-06-09 09:57:20 +02:00
Leo Sandoval
ca135ed532 Handle special kernel parameter characters properly
Resolves: #RHEL-64297
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2025-06-02 16:54:10 -06:00
Nicolas Frayer
4b6a3a3027 ieee1275: Appended signature support
Resolves: #RHEL-24742
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2025-05-22 01:30:39 +02:00
Michal Sekletar
4946e4fb22 Remove BLS fake config on kernel removal
Resolves: #RHEL-83915
Signed-off-by: Michal Sekletar <msekleta@redhat.com>
Reviewed-by: Leo Sandoval <lsandova@redhat.com>
Reviewed-by: Marta Lewandowska <mlewando@redhat.com>
2025-05-14 17:20:53 +02:00
Nicolas Frayer
7e85c7e335 sbat: bump grub sbat for new shim release
Resolves: #RHEL-91278
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2025-05-14 11:52:14 +02:00
Nicolas Frayer
f00a43d2a6 ppc/mkimage: SBAT support on powerpc
Resolves: #RHEL-87421
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2025-04-15 18:42:57 +02:00
Nicolas Frayer
6b93e67189 fs/xfs: Sync with latest xfs upstream
Resolves: #RHEL-85960
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2025-04-04 15:26:02 +02:00
Nicolas Frayer
12da33fad6 ieee1275/ofnet: Fix grub_malloc() removed after added safe
Resolves: #RHEL-83117
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2025-03-25 14:56:25 +01:00
Petr Janda
04bc7689d6 The test result source for bootonce is different
modify gating.yaml as the bootonce test is executed different way and
reported from a differnt soure than stated in gating.yaml
2025-03-19 15:04:14 +00:00
Nicolas Frayer
d2abbf1abe Added the following 2 commits to optimize memory consumption
tpm: Disable the tpm verifier if the TPM device is not present
powerpc: increase MIN RMA size for CAS negotiation

Resolves: #RHEL-76558
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2025-03-17 15:53:16 +01:00
Leo Sandoval
e36472a9a9 Remove NTFS attribute verification patch
The removed patch was part of the CVE patches ported recently into RHEL but
is causing segfaults on dual boot (Windows & RHEL) systems when generating the
grub configuration with the grub2-mkconfig tool. At some point the same patch
will come back with the corresponding fix but for the time being, it is removed.

Related: RHEL-83117

Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2025-03-11 13:07:50 -06:00
Nicolas Frayer
9e9b890c89 fs/ext2: Rework out-of-bounds read for inline and external extents
Related: RHEL-79857
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2025-02-26 18:34:09 +01:00
Nicolas Frayer
6eaa34fe07 Add several CVE fixes
- Resolves: CVE-2024-45779 CVE-2024-45778 CVE-2025-1118
- Resolves: CVE-2025-0677 CVE-2024-45782 CVE-2025-0690
- Resolves: CVE-2024-45783 CVE-2025-0624 CVE-2024-45776
- Resolves: CVE-2025-0622 CVE-2024-45774 CVE-2024-45775
- Resolves: CVE-2024-45781 CVE-2024-45780
- Resolves: #RHEL-79700
- Resolves: #RHEL-79341
- Resolves: #RHEL-79875
- Resolves: #RHEL-79849
- Resolves: #RHEL-79707
- Resolves: #RHEL-79857
- Resolves: #RHEL-79709
- Resolves: #RHEL-79846
- Resolves: #RHEL-75737
- Resolves: #RHEL-79713
- Resolves: #RHEL-73785
- Resolves: #RHEL-73787
- Resolves: #RHEL-79704
- Resolves: #RHEL-79702

Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2025-02-18 19:06:15 +01:00
Nicolas Frayer
76fac13a2b kern/ieee1275/init: Add IEEE 1275 Radix support for KVM on Power
Resolves: #RHEL-52761
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2025-01-13 15:09:05 +01:00
Petr Janda
765e24701b Add aarch64 specific test plan
Resolves: RHELMISC-7542
2024-12-20 15:17:52 +01:00
Leo Sandoval
69027610fe 10_linux.in: escape semicolon and ampersand on BLS upddate
Resolves: #RHEL-25558
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2024-11-21 11:45:46 -06:00
Nicolas Frayer
0e73191379 cmd/search: Fix a possible NULL ptr dereference
Resolves: #RHEL-61263
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-10-17 12:06:22 +02:00
Nicolas Frayer
ec05bd1b7c arm64/linux: Allocate memory for kernel with EFI_LOADER_CODE type
Resolves: #RHEL-49868
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-08-13 20:21:40 +02:00
Leo Sandoval
d5d341df5d grub2.spec: Conditionally set grub config stub to 0600 mode
When upgrading from <=2.06-90 to newer versions, the grub config stub
may have different mode than 0600, so set the latter if this is the case.

Resolves: #RHEL-45870
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2024-08-02 12:11:11 -06:00
Nicolas Frayer
93795b8bea grub2-mkconfig: Remove mountpoint check
Related: #RHEL-32099
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-08-02 11:26:39 +02:00
Leo Sandoval
17192e412c grub2.spec: bump release number
Previous commit did not bump the release from 87 to 88, so bump it
this time.

Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2024-08-01 16:11:28 -06:00
Leo Sandoval
73fed98a8a grub.cfg: Fix rpm grub.cfg permission and verification issues
Fix the rpm verificaton issues (see NOTE below) introduced in 2.06-83 [1].
On the other hand, 2.06-85 [2] introduced a change on grub2-mkconfig where
it prevents overwritting `${EFI_HOME}/grub.cfg` with side effects on the
`%posttrans` scriptlet, where it tries to recreate it in case this
file does not exist but due to [2] the `${EFI}/grub.cfg` file is never
created. Fix the `%posttrans` code with the logic but applied to
${GRUB_HOME}/grub.cfg. On the same scriplet, make sure
${EFI_HOME}/grub.cfg is present before grepping into it. The changes also
fix the issue reported on RHEL-45870 where now /boot/grub2/grub.cfg
conf file has the right permission (-rw-------).

NOTE: With 2.06-83 release, the grub.cfg configuration files regressed on
file's mode (M) verification

    [root@localhost ~]# rpm -Va
    S.5....T.  c /etc/ssh/sshd_config
    .M.......  c /boot/efi/EFI/redhat/grub.cfg
    .M.......  c /boot/grub2/grub.cfg

The following change fixes the issues above as seen in log

    [root@localhost ~]# rpm -Va
    S.5....T.  c /etc/ssh/sshd_config

[1] https://pkgs.devel.redhat.com/cgit/rpms/grub2/commit/?h=rhel-9-main&id=694ab652e3443719e3876e3d183e59b2f9e055fd
[2] https://pkgs.devel.redhat.com/cgit/rpms/grub2/commit/?h=rhel-9-main&id=0185426fb4d693307cda0c7740e9dcf9907cc146

Resolves: #RHEL-45870
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2024-08-01 10:38:19 -06:00
032b849f1c grub2-mkconfig: Simplify os_name detection 2024-07-31 16:56:13 +00:00
Nicolas Frayer
9ad3caa95f changelog: fix version for previous commit
Related: #RHEL-4380
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-07-16 14:54:48 +02:00
Nicolas Frayer
d9c75f0368 chainloader: Remove unexpected "/EndEntire"
Resolves: #RHEL-4380
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-07-16 13:51:45 +02:00
Nicolas Frayer
0185426fb4 grub2-mkconfig: Prevent mkconfig from overwriting grub cfg stub
Resolves: #RHEL-32099
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-07-16 11:18:07 +02:00
Nicolas Frayer
9d1022b4b4 install/ppc64le: run grub2-mkconfig regardless of petitboot version
Resolves: #RHEL-45161
Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-07-11 13:11:46 +02:00
Leo Sandoval
694ab652e3 grub-mkconfig.in: turn off executable owner bit
Resolves: RHEL-45870
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2024-07-02 18:11:03 +02:00
Nicolas Frayer
038570df6f mkconfig/install: Remove BLS handling for XEN
Resolves: #RHEL-4386
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-06-27 14:57:23 +02:00
Nicolas Frayer
f6a3fef432 grub.cfg: Fix an issue when doing a major version upgrade
Resolves: #RHEL-45008
Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-06-25 18:43:10 +02:00
Nicolas Frayer
9813a8aa32 spec: Added more code for the previous CVE fix
Related: #RHEL-36249
Related: #RHEL-36186
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-05-28 15:17:32 +02:00