Commit Graph

57 Commits

Author SHA1 Message Date
Peter Jones
47cf63735c "Minor" bug fixes
Resolves: CVE-2020-10713
Resolves: CVE-2020-14308
Resolves: CVE-2020-14309
Resolves: CVE-2020-14310
Resolves: CVE-2020-14311
Resolves: CVE-2020-15705
Resolves: CVE-2020-15706
Resolves: CVE-2020-15707

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-08-10 22:02:39 -04:00
Javier Martinez Canillas
0993459d92
Install GRUB as \EFI\BOOT\BOOTARM.EFI in armv7hl
The Default Boot Behavior for EFI if no BootOrder and Boot#### variables
are found is to look for an ESP and start \EFI\BOOT\BOOT{$arch}.efi.

This is usually fallback.efi installed by the shim package, but since shim
isn't used on armv7, there's no \EFI\BOOT\BOOTARM.EFI installed in the ESP.

So install GRUB as \EFI\BOOT\BOOTARM.EFI for armv7 so there is a default
EFI binary to be started.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-06-07 10:50:19 +02:00
Javier Martinez Canillas
68246dd736
Only enable the tpm module for EFI platforms
The module is only built for EFI, so don't enable it for other platforms.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-05-18 13:26:28 +02:00
Javier Martinez Canillas
4cf8c08cf7
Enable tpm module and make system to boot even if TPM measurements fail
Since GRUB 2.04 there is support for TPM measurements in a tpm module that
uses the verifiers framework. So this is used now instead of the previous
downstream patches that we were carrying.

But we forgot to enable this module when rebasing to 2.04 which leads to
GRUB no longer measuring the kernel, initrd and command line parameters.

One side effect of using the verifiers framework is that if measurements
fail, GRUB won't be able to open the files since the errors from the tpm
module are propagated. This means that a firmware with a buggy tpm support
will prevent the machine to boot, which was not the case with the previous
downstream patches. Don't propagate the measurement errors to prevent this.

Resolves: rhbz#1836433

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-05-18 10:19:45 +02:00
David Abdurachmanov
b888fb3a32
Add RISC-V (riscv64) support to grub.macros
Signed-off-by: David Abdurachmanov <david.abdurachmanov@sifive.com>
2020-01-16 15:35:56 +01:00
Peter Jones
190e583e94 Add zstd to the EFI module list.
cmurf and javierm noticed[0] that we don't have zstd enabled, and that could
cause issues in some cases for /boot on btrfs subvolumes.  This adds it to our
module list.

[0] https://github.com/rhinstaller/anaconda/pull/2255#discussion_r359123085

Related: rhbz#1418336

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-01-06 10:30:23 -05:00
Peter Jones
0cb30b7d2b Renumber sources
This gets rid of the vestigial remnants of the now-obsolete
release-to-master.patch , and moves gnulib to be earlier in our source list.

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-01-06 10:28:40 -05:00
Peter Robinson
af4ccfff6b drop tools-extra from grub2-pc dependencies 2019-12-12 02:04:27 +00:00
Peter Robinson
8733281382
various grub2 cleanups
- drop deprecated groups from the macros file, already gone from main spec.
- don't ship arch specific bits in tools-extra that are already special cased in tools
- move grub2-glue-efi to tools-efi, it's Mac specific and there's othe Mac efi tools there
- drop tools-extra dep for efi binaries, all in tools-efi and anaconda deals with that
- put grub2-install man page in the right package with the util
- other minor cleanups
2019-12-05 17:01:50 +01:00
Javier Martinez Canillas
e1531466e1
Update to grub 2.04
This change updates grub to the 2.04 release. The new release changed how
grub is built, so the bootstrap and bootstrap.conf files have to be added
to the dist-git. Also, the gitignore file changed so it has to be updated.

Since the patches have been forward ported to 2.04, there's no need for a
logic to maintain a patch with the delta between the release and the grub
master branch. So the release-to-master.patch is dropped and no longer is
updated by the do-rebase script.

Also since gnulib isn't part of the grub repository anymore and cloned by
the boostrap tool, a gnulib tarball is included as other source file and
copied before calling the bootstrap tool. That way grub can be built even
in builders that only have access to the sources lookaside cache.

Resolves: rhbz#1727279

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-08-15 08:04:53 +02:00
Javier Martinez Canillas
c432d1fe96
Include regexp module in EFI builds
So the regexp command can be used in systems with Secure Boot enabled.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-08-07 22:15:12 +02:00
Benjamin Doron
300c372004
Includes security modules in Grub2 EFI builds
Satisfies https://fedoraproject.org/wiki/Changes/Include_security_modules_in_efi_Grub2

Resolves: rhbz#1722938
2019-07-15 12:06:36 +02:00
Sergio Durigan Junior
f6da347edf
Use '-g' instead of '-g3' when compiling grub2.
The rpm-build's "debugedit" program will silently corrupt .debug_macro
strings when a binary is compiled with -g3.  Later in the build phase,
gdb-add-index is invoked to extract the DWARF index from the binary,
and GDB will segfault because dwarf2read.c:parse_definition_macro's
'body' variable is NULL.

Resolves: rhbz#1708780
2019-06-18 12:05:36 +02:00
Peter Jones
7388f24e3e Fix HOST_LDFLAGS to include the hardening flags.
rpmdiff noticed the following:

Detecting usr/sbin/grub2-ofpathname with not-hardened warnings '
Hardened: grub2-ofpathname: FAIL: Gaps were detected in the annobin coverage.  Run with -v to list.
Hardened: grub2-ofpathname: FAIL: Not linked with -Wl,-z,now.
Hardened: grub2-ofpathname: MAYB: The PIC/PIE setting was not recorded.
Hardened: grub2-ofpathname: FAIL: Not linked as a position independent executable (ie need to add '-pie' to link command line).
' on ppc64le

This is because while we made the CFLAGS get some new options, LDFLAGS never
got the same treatement, and we disabled %{_hardened_build} to avoid getting
its options in the TARGET_{C,LD}FLAGS variables.

This patch duplicates the infrastructure for {HOST,TARGET}_CFLAGS into
{HOST,TARGET}_LDFLAGS, and adds the %{_hardening_ldflags} and
%{_hardening_cflags} to both HOST_{C,LD}FLAGS.

Additionally, it fixes the CPPFLAGS definitions, since rpm doesn't define any
CPPFLAGS at all, and makes the -I$(pwd) be there exclusively, not on CFLAGS as
well, since they're always used in concert.

Signed-off-by: Peter Jones <pjones@redhat.com>
2019-05-23 13:51:07 -04:00
0b428f20f3
Add grub2-mount to grub2-tools-minimal subpackage
os-prober 1.75 dropped all the code for handling device mapper
directly in favor of only supporting the use of grub2-mount.

Thus, we now need grub2-mount to be built and packaged so that
os-prober can depend on it. We ship it in the grub2-tools-minimal
package to avoid creating a dependency loop between grub2-tools and
os-prober.

Resolves: rhbz#1471267

Signed-off-by: Neal Gompa <ngompa13@gmail.com>
2019-05-06 13:40:04 +02:00
Javier Martinez Canillas
a18e8e631d
Add grub2-emu subpackage
GRUB has an user-space program emulator that allows to parse config files
and execute boot entries using the kexec tool. Add a grub2-emu subpackage
to install the emulator.

The subpackage is disabled on ppc64le architecture for now since grub2-emu
fails to build there.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-05-03 15:39:28 +02:00
Tim Landscheidt
af06f22ee4 Fix description of grub2-pc
Resolves: rhbz#1484298
2019-05-03 10:43:27 +02:00
Javier Martinez Canillas
8c44667ebf
Avoid grub2-efi package to overwrite existing /boot/grub2/grubenv file
The grub2-efi package create a /boot/grub2/grubenv symlink that points to
/boot/efi/EFI/fedora/grubenv that's where the real grubenv file is looked
up by GRUB on an EFI installation.

But currently if the grub2-efi is installed on a legacy BIOS install, it
will overwrite an existing /boot/grub2/grubenv file with a broken symlink.

So mark it as %config(noreplace) to avoid loosing an existing grubenv.

Resolves: rhbz#1687323

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-03-11 10:22:11 +01:00
Javier Martinez Canillas
11b49b804e
BLS support enhancements and some fixes
- Don't build the grub2-efi-ia32-* packages on i686 (pjones)
- Add efi-export-env and efi-load-env commands (pjones)
- Make it possible to subtract conditions from debug= (pjones)
- Try to set -fPIE and friends on libgnu.a (pjones)
- Add more options to blscfg command to make it more flexible
- Add support for prepend early initrds to the BLS entries
- Fix grub.cfg-XXX look up when booting over TFTP

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-02-04 19:28:49 +01:00
Peter Jones
db4a99687c Exclude /etc/grub.d/01_fallback_counting until we work through some design
questions.
  Resolves: rhbz#1614637

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-10-04 17:11:21 -04:00
Peter Jones
98536ecf37 Once more into the breach, dear friends.
- Limit grub_malloc() on x86_64 to < 31bit addresses, as some devices seem to
  have a colossally broken storage controller (or UEFI driver) that can't do
  DMA to higher memory addresses, but fails silently.
  Resolves: rhbz#1626844 (possibly really resolving it this time.)
- Also integrate Hans's attempt to fix the related error from -54, but do it
  the other way around: try the low addresses first and *then* the high one if
  the allocation fails.  This way we'll get low regions by default, and if
  kernel/initramfs don't fit anywhere, it'll try the higher addresses.
  Related: rhbz#1624532
- Coalesce all the intermediate debugging junk from -54/-55/-56.

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-09-11 18:08:44 -04:00
Peter Jones
5376ad0c95 Fix 'reboot' command
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-09-11 10:44:46 -04:00
Peter Jones
4892e6bea5 Temporarily make -cdboot files 0700 again.
We need to move these to /boot/efi/EFI/BOOT/ and change the perms at the same
time, but that means changing this, comps, and lorax (at least) at the same
time.  Right this minute isn't a good time to do that.

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-08-07 11:21:29 -04:00
Peter Jones
627591c8af Make -cdboot packages have file perms of 0755
This lets you use them for http(s) boot easier.

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-08-02 16:12:23 -04:00
Peter Jones
18694c1a36 Fix git commits after %configure
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-08-02 14:30:59 -04:00
Peter Jones
dbfd2e6b04 Make more stuff in our buildroot go into the git repo so I can grep it better.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-31 16:40:33 -04:00
Peter Jones
15a207211f Roll upstream's patches into one big patch here.
I don't really need to watch 150+ patches from upstream get applied.

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-31 10:57:52 -04:00
Peter Jones
8d563110da --with-utils=host
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-27 12:52:55 -04:00
Peter Jones
a45161331b Minor whitespace cleanup
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-27 12:48:09 -04:00
Peter Jones
da0e16c206 Fix autogen/autoconf invocation to actually re-make configure.
autogen.sh was running autoreconf, which *ran* configure but didn't actually
re-make it if it was there.  This means we effectively can't change our
configure invocation (for newer configure options), so that's bad.

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-27 12:43:35 -04:00
Peter Jones
1b55f4c84d Fix some lingering bls issues
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-17 16:46:37 -04:00
Peter Jones
ebe16ceeab Make a couple of commands be built differently.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-12 18:51:56 -04:00
Peter Jones
64626d2a22 Fix arm (32-bit) ABI specification.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-11 17:13:42 -04:00
Peter Jones
a52365a0df Port several fixes from the F28 tree and a WIP tree.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-11 16:49:50 -04:00
Peter Jones
dd0009ec4d Enable 32-bit ARM EFI builds.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-10 15:12:02 -04:00
Peter Jones
bf33524673 Minor permissions fixes
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-10 14:39:21 -04:00
Peter Jones
a8d8dcf190 A couple of fixes needed by Fedora Atomic - javierm
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-05-11 10:13:05 -04:00
Peter Jones
78e1a10ec4 Add grub2-switch-to-blscfg
Fix for BLS paths on BIOS / non-UEFI (javierm)

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-04-03 13:41:24 -04:00
Peter Jones
06b68a8c94 Build the blscfg module in on EFI builds.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-03-06 14:47:22 -05:00
Peter Jones
d51395ea7f Update our gcc nerfing.
- Only nerf annobin, not -fstack-crash-protection.
- Fix a conflict on /boot/efi directory permissions between -cdboot and the
  normal bootloader.

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-01-19 13:17:09 -05:00
Peter Jones
28076bb004 Nerf some new gcc 'features'
For now, completely nerf annobin and -fstack-clash-protection; at least
one of those things makes grubx64.efi crash on start.

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-01-18 18:23:41 -05:00
Peter Jones
a91fed7f66 Fix some efi modules bugs
- Fix grub2-efi-modules provides/obsoletes generation
  Resolves: rhbz#1506704
- *Also* build grub-efi-ia32{,-*,!-modules} packages for i686 builds
  Resolves: rhbz#1502312

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-01-18 14:14:19 -05:00
Peter Jones
8cceee7ebe Make everything under /boot/efi be mode 0700, since that's what FAT will
show anyway.

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-01-18 14:12:52 -05:00
Peter Jones
e1f4c0ec1e Make grub2-efi-aa64 provide grub2
I'm not sure this is 100% the right place to do this - maybe it should
go in anaconda - but it seems most expedient :/

Resolves: rhbz#1491045

Signed-off-by: Peter Jones <pjones@redhat.com>
2017-09-20 15:28:42 -04:00
Peter Jones
b52a729921 Fix Obsoletes on grub2-pc
Signed-off-by: Peter Jones <pjones@redhat.com>
2017-09-06 18:26:03 -04:00
Petr Šabata
50a9c3a2b3 Limit the pattern matching in do_alt_efi_install to files
This unbreaks module builds that contain the ".module" string in their
dist tags.

Signed-off-by: Petr Šabata <contyk@redhat.com>
2017-08-30 11:03:41 -04:00
Peter Jones
152cdcd6f5 Minor updates to provides and excludes
Add some unconditional Provides:
  grub2-efi on grub2-efi-${arch}
  grub2-efi-cdboot on grub2-efi-${arch}-cdboot
  grub2 on all grub2-${arch} pacakges
Something is somehow adding /usr/lib/.build-id/... to all the -tools
  subpackages, so exclude all that.

Signed-off-by: Peter Jones <pjones@redhat.com>
2017-08-25 13:31:34 -04:00
Peter Jones
53a4172ac4 Various fixups
- Put grub2-mkimage in -tools, not -tools-extra.
- Fix i686 building
- Fix ppc HFS+ usage due to /boot/efi's presence.

Signed-off-by: Peter Jones <pjones@redhat.com>
2017-08-23 17:05:03 -04:00
Peter Jones
31ea67e0aa Add the .img files into grub2-pc-modules (and all legacy variants)
autoqa is seeing a failure that looks like:

13:50:17,909 INF program: grub2-install: error: cannot open `/usr/lib/grub/i386-pc/lzma_decompress.img': No such file or directory.

And it's because the .img files are currently excluded.  So put them
back.

Signed-off-by: Peter Jones <pjones@redhat.com>
2017-08-18 17:36:01 -04:00
Peter Jones
3619a3f545 Simplify some of the macros a bit.
Signed-off-by: Peter Jones <pjones@redhat.com>
2017-08-17 13:28:53 -04:00