Commit Graph

58 Commits

Author SHA1 Message Date
Robbie Harwood
3bdba954d6 Bump SBAT
Resolves: CVE-2022-2601
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-11-08 11:21:19 -05:00
Robbie Harwood
f2a26f5bbb Font CVE fixes
Resolves: CVE-2022-2601
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-11-03 19:34:00 +00:00
Robbie Harwood
525d9dc867 gating: re-enable all tests
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-11-01 14:22:57 -04:00
Robbie Harwood
f6015fa651 TDX measurement to RTMR
Resolves: #1981487
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-10-28 13:06:11 -04:00
Robbie Harwood
1db6b68958 x86-efi: Fix an incorrect array size in kernel allocation
Resolves: #2031289
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-10-12 19:44:29 +00:00
Robbie Harwood
c1ebf6e8ba Sync /etc/kernel/cmdline generation with 2.06-52.fc38
Resolves: #1969362
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-08-25 17:31:05 +00:00
Robbie Harwood
5af1faa717 ieee1275: implement vec5 for cas negotiation
Resolves: #2121192
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-08-25 15:41:57 +00:00
Robbie Harwood
d449759abf Skip rpm mtime verification on likely-vfat filesystems
Resolves: #2047979
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-08-15 21:04:30 +00:00
Robbie Harwood
b3aed40f50 Generate BLS snippets during mkconfig
Resolves: #1969362
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-08-11 16:26:51 +00:00
Robbie Harwood
8f1a5b9955 Rest of kernel allocator fixups
Resolves: #2108456
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-08-02 14:42:02 +00:00
Robbie Harwood
217d6ad6ef Kernel allocator fixups
Resolves: #2108456
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-08-02 13:48:57 +00:00
Robbie Harwood
d938855e21 Rebuild against new ppc64le key
Resolves: #2074761
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-07-18 19:44:56 +00:00
Robbie Harwood
836032bc4e Rebuild against new ppc64le key
Resolves: #2074761
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-07-18 19:03:10 +00:00
Robbie Harwood
49f16a61fd Bump release
Resolves: #2051314
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-06-28 19:08:57 -04:00
Robbie Harwood
d1284519d3 Bless the TPM module on ppc64le
Resolves: #2051314
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-06-28 22:48:20 +00:00
Robbie Harwood
42b3050a74 CVE fixes for 2022-05-24
CVE-2022-28736 CVE-2022-28735 CVE-2022-28734 CVE-2022-28733
CVE-2021-3697 CVE-2021-3696 CVE-2021-3695
Resolves: #2070688

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-06-03 14:09:47 -04:00
Robbie Harwood
1b83bb93b8 ppc64le: make ofdisk_retries optional
Resolves: #2070725
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-05-17 16:54:01 +00:00
Robbie Harwood
4ff57c1cdd ppc64le: CAS improvements, prefix detection, and vTPM support
Resolves: #2068281
Resolves: #2051314
Resolves: #2076798
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-05-04 18:29:29 +00:00
Robbie Harwood
f0e4b8c683 Fix rpm verification report on grub.cfg permissions
Resolves: #2076322
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-05-04 17:31:36 +00:00
Robbie Harwood
e3753ed4c2 First 9.1 build; no changes from 9.0
- Fix initialization on efidisk patch
- Re-run signing with updated redhat-release

Resolves: #2062874
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-05-04 12:06:10 -04:00
Robbie Harwood
01f68549dc Enable connectefi module
Resolves: #2049219
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-28 19:16:25 +00:00
Robbie Harwood
82f85447d7 Add efidisk/connectefi patches
Resolves: #2049219
Resolves: #2049220
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-24 22:24:21 +00:00
Robbie Harwood
d08fc02f2d Re-arm GRUB_ENABLE_BLSCFG=false
Resolves: #2018331
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-18 21:21:20 +00:00
Robbie Harwood
bfdc50ae19 Stop building unsupported 32-bit UEFI stuff
Resolves: #2038401
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-18 20:38:05 +00:00
Brian Stinson
ea946fe76d Require Secure Boot certs based on architecture
Resolves: #2049214

Signed-off-by: Brian Stinson <bstinson@redhat.com>
2022-02-16 15:55:59 -06:00
Brian Stinson
726ced531a Conditionalize Secure Boot settings per architecture
Related: rhbz#2049214

Signed-off-by: Brian Stinson <bstinson@redhat.com>
2022-02-16 15:13:14 -06:00
Robbie Harwood
2ab799de70 Attempt to fix ppc64le signing bugs in previous change
Resolves: #2049214
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-16 19:05:03 +00:00
Robbie Harwood
c4d20133ef Bump spec for previous two signing commits
Resolves: #2049214
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-16 12:41:39 -05:00
Brian Stinson
3f01b520d0 Point secureboot certs at the paths defined by the *-sb-certs packages
Resolves: rhbz#2049214

Signed-off-by: Brian Stinson <bstinson@redhat.com>
[rharwood: commit message, conditional fix]
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-16 12:39:39 -05:00
Brian Stinson
ac3d500683 Switch grub2 back to single-signing for Secure Boot
Related: rhbz#2049214

Signed-off-by: Brian Stinson <bstinson@redhat.com>
2022-02-15 13:00:50 -06:00
Robbie Harwood
6bb9a7593b CVE-2021-3981 (Incorrect read permission in grub.cfg)
Resolves: rhbz#2030724
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-02 11:28:15 -05:00
Robbie Harwood
161ae8daaf Stop having this problem and just copy over the beta tree
Resolves: rhbz#2006784
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-01-04 20:33:19 +00:00
Robbie Harwood
0b61fb6968 Fix NVR in previous change; no code changes
Resolves: rhbz#2006784
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-01-04 14:50:01 -05:00
Robbie Harwood
1742f60e82 Rebuild for correct signatures
Resolves: rhbz#2006784
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-01-04 14:14:53 -05:00
Robbie Harwood
575027c3e4 Rebuild for signing; no code changes
Resolves: rhbz#2006784
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2021-12-21 15:50:56 +00:00
Robbie Harwood
29cb68279c Rebuild for gating; no code changes
Resolves: rhbz#2006784
2021-11-19 18:59:40 +00:00
Robbie Harwood
56200915a6 Version jump because our process is bad
Resolves: rhbz#2006784
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2021-10-26 16:36:28 -04:00
Robbie Harwood
4e8839634b Sync with beta changes
Resolves: rhbz#2006784
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2021-10-26 15:49:17 -04:00
Robbie Harwood
4c7c1f4aaf Rebuild for gating + rpminspect
Resolves: rhbz#2006784
2021-09-28 10:26:11 -04:00
Robbie Harwood
69afd9d3a2 Rebuild because our CI infrastructure doesn't work right
Resolves: rhbz#2006784
2021-09-23 11:24:24 -04:00
Javier Martinez Canillas
439f9e9576
Update to 2.06 final release and ton of fixes
Resolves: rhbz#1976771

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-08-31 13:37:28 +02:00
Javier Martinez Canillas
ea6c160b6a
Fix kernel cmdline params getting overwritten on ppc64le
Resolves: rhbz#1973564

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-06-23 11:03:25 +02:00
Javier Martinez Canillas
07b9866096
Add XFS needsrepair support
Resolves: rhbz#1940165

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-05-03 17:42:33 +02:00
Javier Martinez Canillas
d2aa233cb7
Find and claim more memory for ieee1275
Resolves: rhbz#1873860

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-04-26 11:17:41 +02:00
Javier Martinez Canillas
95fb16271d
Add XFS bigtime support
Resolves: rhbz#1940165

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-04-14 16:15:54 +02:00
Javier Martinez Canillas
294df22ef5
do-rebase: use centpkg instead of fedpkg for centos rebases
Related: rhbz#1940165

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-04-14 16:15:34 +02:00
Javier Martinez Canillas
583bcec955
Enable RHEL gating
Tier 1 tests for GRUB are run in the BaseOS CI pipeline, add a gating.yaml
file for these gating tests to run when doing RHEL builds.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-04-14 12:10:18 +02:00
Javier Martinez Canillas
3131f9646a
Use RHEL distro SBAT data also for CentOS Stream
We were adding a CentOS Stream specific SBAT component entry, but doesn't
really make sense since the RHEL 9 content is exactly the same. Otherwise,
in case of a revocation there will be needed two entries in the SbatLevel
variable for no good reasons.

Related: rhbz#1947696

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-04-13 17:22:54 +02:00
Javier Martinez Canillas
09511e8638
Update distro SBAT entry to contain information about CentOS Stream
Related: rhbz#1947696

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-04-12 01:36:21 +02:00
Javier Martinez Canillas
1d49572ef1
Update to latest content from upstream sources
The content of this branch was not automatically imported from upstream
sources. Pull the latest from upstream to have the missing changes here.

Source: https://src.fedoraproject.org/rpms/grub2.git#f2763e56df79eccae17d2e8fa13d2f51a0fe7073

Resolves: rhbz#1947696

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-04-12 01:36:21 +02:00