Besides re-introducing the annobin sed replacements, it fixes
duplicate '-fstack-protector-strong' flags and remove the sed
replacement '-fno-stack-protector' as it has no effect.
Resolves: #RHEL-89464
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
Besides enabling the strong stack protector flag, it also removes the
sed empty replacements for annobin, so now most binaries include the
annobin section, required by the CI annocheck tool.
Resolves: #RHEL-89464
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
Fix the rpm verificaton issues. On the other hand, 2.06-121 [1]
introduced a change on grub2-mkconfig where it prevents overwritting
`${EFI_HOME}/grub.cfg` with side effects on the `%posttrans`
scriptlet, where it tries to recreate it in case this file does not
exist but due to [1] the `${EFI}/grub.cfg` file would never be
created. Fix the `%posttrans` code with the logic but applied to
${GRUB_HOME}/grub.cfg. On the same scriplet, make sure
${EFI_HOME}/grub.cfg is present before grepping into it.
[1] https://pkgs.devel.redhat.com/cgit/rpms/grub2/commit/?h=rhel-10-main&id=9c6e5cf6c8e597efbf6a10399371789fddafac12
Resolves: #RHEL-56918
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
xz decompression is very slow and slows down boot by around 5 seconds on
aarch64/Apple M1 when using the default font. Switch to lzop, which
takes less than one second to uncompress.
This increases EFI core image size by around 11%.
Signed-off-by: Hector Martin <marcan@marcan.st>
This enables PXE booting with grub2 rather than syslinux.
Signed-off-by: Chris Adams <linux@cmadams.net>
[rharwood: bump spec, fix commit message]
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
lorax has its own code for building EFI images, and it needs the
font file to do that successfully, so let's make sure it's there
for lorax to find. This doesn't revert the embedding change,
it just reverts the part where we don't bother to install the
font to /boot/grub2/fonts any more.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
There's no point to this (the packaging isn't generic, confusion between
grub and grub2 in places, it's not fewer characters to type, have to
think about escaping in macros, ...) and it makes searching for things
needlessly difficult.
This finishes the revert of 967c5629ed
("Don't harcode grub2 in the spec file") that was begun in
af038a0bdc ("Revert "Don't harcode grub2
in the spec file"").
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Two issues:
- line 538 switches the filename from "grub" to "grub2" where it
shouldn't
- in general, things that aren't referring to the packaging itself
shouldn't be %{name}; it just makes them less flexible.
This reverts commit 967c5629ed.
The annobin GCC plugin is now turned on linking for LTO mode but it causes
build failures on at least powerpc. The plugin is already removed from the
CFLAGS but was added again through LDFLAGS, remove from there as well.
Signed-off-by: Peter Jones <pjones@redhat.com>
There's a variable for this, use it consistently.
Suggested-by: Benjamin Herrenschmidt <benh@amazon.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
GRUB is now using /boot/grub2 as the directory where all the resources are
loaded, but the unicode.pf2 is still installed in the EFI System Partition.
Resolves: rhbz#1739762
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
The GRUB configuration files layout on EFI platforms isn't consistent with
other non-EFI platforms (e.g: legacy BIOS x86 and Open Firmware ppc64le).
On platforms using EFI, the GRUB config file (grub.cfg) and environment
variables block (grubenv) are stored in the EFI System Partition (ESP),
while for non-EFI platforms these are stored in the boot partition (or
/boot directory if not boot partition is used).
The reason for this is that the path where the GRUB bootloader searches
for its configuration file varies depending on the firmware interface.
For EFI the GRUB binary is located in the ESP and it expects to find its
config file in that location as well. But this creates the mentioned
inconsistency, because the GRUB configuration file has to be stored in
/boot/efi/EFI/fedora/grub.cfg while for non-EFI platforms it has to be
stored in /boot/grub2/grub.cfg.
To allow all platforms to have the GRUB config file in the same location,
only a minimal config file could be stored in the ESP and this will load
the one that is stored in /boot/grub2.
Related: rhbz#1918817
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
GRUB uses -march=i386 to build the x86 BIOS code but recent changes in the
default %{optflags} enabled the -fcf-protection flag that's not compatible
with pre-i686 CPUs.
This led to a build error in the grub2 package. To avoid this failure and
let the package to build again, remove the -fcf-protection flag for now.
Related: rhbz#1915452
Signed-off-by: Jeff Law <law@redhat.com>
Users can unintentionally remove the grub2 packages and break their system
by deleting the bootloader. To prevent this mark them as protected by DNF.
Resolves: rhbz#1874541
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
The /boot/grub2/grubenv file is not installed by the grub2 packages but
is either a symbolic link created on %install or a regular file created
by Anaconda during installation.
This is causing the tps-rpmtest to fail in some architectures since the
file attributes don't match what's expected by the package. Because is
a special file, make verification to ignore the size, mode, checksum
and mtime attributes.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
The Default Boot Behavior for EFI if no BootOrder and Boot#### variables
are found is to look for an ESP and start \EFI\BOOT\BOOT{$arch}.efi.
This is usually fallback.efi installed by the shim package, but since shim
isn't used on armv7, there's no \EFI\BOOT\BOOTARM.EFI installed in the ESP.
So install GRUB as \EFI\BOOT\BOOTARM.EFI for armv7 so there is a default
EFI binary to be started.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Since GRUB 2.04 there is support for TPM measurements in a tpm module that
uses the verifiers framework. So this is used now instead of the previous
downstream patches that we were carrying.
But we forgot to enable this module when rebasing to 2.04 which leads to
GRUB no longer measuring the kernel, initrd and command line parameters.
One side effect of using the verifiers framework is that if measurements
fail, GRUB won't be able to open the files since the errors from the tpm
module are propagated. This means that a firmware with a buggy tpm support
will prevent the machine to boot, which was not the case with the previous
downstream patches. Don't propagate the measurement errors to prevent this.
Resolves: rhbz#1836433
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>