Commit Graph

64 Commits

Author SHA1 Message Date
Javier Martinez Canillas
51b7d6220e
Fix a couple of merge mistakes made when rebasing to 2.06~rc1
Resolves: rhbz#1940524

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-03-24 09:39:42 +01:00
Javier Martinez Canillas
46968b6e63
Update to 2.06~rc1 to fix a bunch of CVEs
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-03-15 10:13:33 +01:00
Javier Martinez Canillas
4fe0f66632
Unify GRUB configuration file location across all platforms
The GRUB configuration files layout on EFI platforms isn't consistent with
other non-EFI platforms (e.g: legacy BIOS x86 and Open Firmware ppc64le).

On platforms using EFI, the GRUB config file (grub.cfg) and environment
variables block (grubenv) are stored in the EFI System Partition (ESP),
while for non-EFI platforms these are stored in the boot partition (or
/boot directory if not boot partition is used).

The reason for this is that the path where the GRUB bootloader searches
for its configuration file varies depending on the firmware interface.

For EFI the GRUB binary is located in the ESP and it expects to find its
config file in that location as well. But this creates the mentioned
inconsistency, because the GRUB configuration file has to be stored in
/boot/efi/EFI/fedora/grub.cfg while for non-EFI platforms it has to be
stored in /boot/grub2/grub.cfg.

To allow all platforms to have the GRUB config file in the same location,
only a minimal config file could be stored in the ESP and this will load
the one that is stored in /boot/grub2.

Related: rhbz#1918817

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-02-09 00:44:03 +01:00
Jeff Law
3a8f1e293b
Remove -fcf-protection compiler flag to allow i386 builds
GRUB uses -march=i386 to build the x86 BIOS code but recent changes in the
default %{optflags} enabled the -fcf-protection flag that's not compatible
with pre-i686 CPUs.

This led to a build error in the grub2 package. To avoid this failure and
let the package to build again, remove the -fcf-protection flag for now.

Related: rhbz#1915452

Signed-off-by: Jeff Law <law@redhat.com>
2021-02-08 19:42:10 +01:00
Javier Martinez Canillas
8c2cf1c368
Add DNF protected.d fragments for GRUB packages
Users can unintentionally remove the grub2 packages and break their system
by deleting the bootloader. To prevent this mark them as protected by DNF.

Resolves: rhbz#1874541

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-12-30 22:45:54 +01:00
Javier Martinez Canillas
c321e640dc
Include keylayouts and at_keyboard modules in EFI builds
This is needed to support PC AT keyboards on machines using EFI.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-12-30 20:50:03 +01:00
Javier Martinez Canillas
ec73df1b6e
Fix tps-rpmtest failing due /boot/grub2/grubenv attributes mismatch
The /boot/grub2/grubenv file is not installed by the grub2 packages but
is either a symbolic link created on %install or a regular file created
by Anaconda during installation.

This is causing the tps-rpmtest to fail in some architectures since the
file attributes don't match what's expected by the package. Because is
a special file, make verification  to ignore the size, mode, checksum
and mtime attributes.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-12-30 20:50:03 +01:00
Peter Jones
47cf63735c "Minor" bug fixes
Resolves: CVE-2020-10713
Resolves: CVE-2020-14308
Resolves: CVE-2020-14309
Resolves: CVE-2020-14310
Resolves: CVE-2020-14311
Resolves: CVE-2020-15705
Resolves: CVE-2020-15706
Resolves: CVE-2020-15707

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-08-10 22:02:39 -04:00
Javier Martinez Canillas
0993459d92
Install GRUB as \EFI\BOOT\BOOTARM.EFI in armv7hl
The Default Boot Behavior for EFI if no BootOrder and Boot#### variables
are found is to look for an ESP and start \EFI\BOOT\BOOT{$arch}.efi.

This is usually fallback.efi installed by the shim package, but since shim
isn't used on armv7, there's no \EFI\BOOT\BOOTARM.EFI installed in the ESP.

So install GRUB as \EFI\BOOT\BOOTARM.EFI for armv7 so there is a default
EFI binary to be started.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-06-07 10:50:19 +02:00
Javier Martinez Canillas
68246dd736
Only enable the tpm module for EFI platforms
The module is only built for EFI, so don't enable it for other platforms.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-05-18 13:26:28 +02:00
Javier Martinez Canillas
4cf8c08cf7
Enable tpm module and make system to boot even if TPM measurements fail
Since GRUB 2.04 there is support for TPM measurements in a tpm module that
uses the verifiers framework. So this is used now instead of the previous
downstream patches that we were carrying.

But we forgot to enable this module when rebasing to 2.04 which leads to
GRUB no longer measuring the kernel, initrd and command line parameters.

One side effect of using the verifiers framework is that if measurements
fail, GRUB won't be able to open the files since the errors from the tpm
module are propagated. This means that a firmware with a buggy tpm support
will prevent the machine to boot, which was not the case with the previous
downstream patches. Don't propagate the measurement errors to prevent this.

Resolves: rhbz#1836433

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-05-18 10:19:45 +02:00
David Abdurachmanov
b888fb3a32
Add RISC-V (riscv64) support to grub.macros
Signed-off-by: David Abdurachmanov <david.abdurachmanov@sifive.com>
2020-01-16 15:35:56 +01:00
Peter Jones
190e583e94 Add zstd to the EFI module list.
cmurf and javierm noticed[0] that we don't have zstd enabled, and that could
cause issues in some cases for /boot on btrfs subvolumes.  This adds it to our
module list.

[0] https://github.com/rhinstaller/anaconda/pull/2255#discussion_r359123085

Related: rhbz#1418336

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-01-06 10:30:23 -05:00
Peter Jones
0cb30b7d2b Renumber sources
This gets rid of the vestigial remnants of the now-obsolete
release-to-master.patch , and moves gnulib to be earlier in our source list.

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-01-06 10:28:40 -05:00
Peter Robinson
af4ccfff6b drop tools-extra from grub2-pc dependencies 2019-12-12 02:04:27 +00:00
Peter Robinson
8733281382
various grub2 cleanups
- drop deprecated groups from the macros file, already gone from main spec.
- don't ship arch specific bits in tools-extra that are already special cased in tools
- move grub2-glue-efi to tools-efi, it's Mac specific and there's othe Mac efi tools there
- drop tools-extra dep for efi binaries, all in tools-efi and anaconda deals with that
- put grub2-install man page in the right package with the util
- other minor cleanups
2019-12-05 17:01:50 +01:00
Javier Martinez Canillas
e1531466e1
Update to grub 2.04
This change updates grub to the 2.04 release. The new release changed how
grub is built, so the bootstrap and bootstrap.conf files have to be added
to the dist-git. Also, the gitignore file changed so it has to be updated.

Since the patches have been forward ported to 2.04, there's no need for a
logic to maintain a patch with the delta between the release and the grub
master branch. So the release-to-master.patch is dropped and no longer is
updated by the do-rebase script.

Also since gnulib isn't part of the grub repository anymore and cloned by
the boostrap tool, a gnulib tarball is included as other source file and
copied before calling the bootstrap tool. That way grub can be built even
in builders that only have access to the sources lookaside cache.

Resolves: rhbz#1727279

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-08-15 08:04:53 +02:00
Javier Martinez Canillas
c432d1fe96
Include regexp module in EFI builds
So the regexp command can be used in systems with Secure Boot enabled.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-08-07 22:15:12 +02:00
Benjamin Doron
300c372004
Includes security modules in Grub2 EFI builds
Satisfies https://fedoraproject.org/wiki/Changes/Include_security_modules_in_efi_Grub2

Resolves: rhbz#1722938
2019-07-15 12:06:36 +02:00
Sergio Durigan Junior
f6da347edf
Use '-g' instead of '-g3' when compiling grub2.
The rpm-build's "debugedit" program will silently corrupt .debug_macro
strings when a binary is compiled with -g3.  Later in the build phase,
gdb-add-index is invoked to extract the DWARF index from the binary,
and GDB will segfault because dwarf2read.c:parse_definition_macro's
'body' variable is NULL.

Resolves: rhbz#1708780
2019-06-18 12:05:36 +02:00
Peter Jones
7388f24e3e Fix HOST_LDFLAGS to include the hardening flags.
rpmdiff noticed the following:

Detecting usr/sbin/grub2-ofpathname with not-hardened warnings '
Hardened: grub2-ofpathname: FAIL: Gaps were detected in the annobin coverage.  Run with -v to list.
Hardened: grub2-ofpathname: FAIL: Not linked with -Wl,-z,now.
Hardened: grub2-ofpathname: MAYB: The PIC/PIE setting was not recorded.
Hardened: grub2-ofpathname: FAIL: Not linked as a position independent executable (ie need to add '-pie' to link command line).
' on ppc64le

This is because while we made the CFLAGS get some new options, LDFLAGS never
got the same treatement, and we disabled %{_hardened_build} to avoid getting
its options in the TARGET_{C,LD}FLAGS variables.

This patch duplicates the infrastructure for {HOST,TARGET}_CFLAGS into
{HOST,TARGET}_LDFLAGS, and adds the %{_hardening_ldflags} and
%{_hardening_cflags} to both HOST_{C,LD}FLAGS.

Additionally, it fixes the CPPFLAGS definitions, since rpm doesn't define any
CPPFLAGS at all, and makes the -I$(pwd) be there exclusively, not on CFLAGS as
well, since they're always used in concert.

Signed-off-by: Peter Jones <pjones@redhat.com>
2019-05-23 13:51:07 -04:00
0b428f20f3
Add grub2-mount to grub2-tools-minimal subpackage
os-prober 1.75 dropped all the code for handling device mapper
directly in favor of only supporting the use of grub2-mount.

Thus, we now need grub2-mount to be built and packaged so that
os-prober can depend on it. We ship it in the grub2-tools-minimal
package to avoid creating a dependency loop between grub2-tools and
os-prober.

Resolves: rhbz#1471267

Signed-off-by: Neal Gompa <ngompa13@gmail.com>
2019-05-06 13:40:04 +02:00
Javier Martinez Canillas
a18e8e631d
Add grub2-emu subpackage
GRUB has an user-space program emulator that allows to parse config files
and execute boot entries using the kexec tool. Add a grub2-emu subpackage
to install the emulator.

The subpackage is disabled on ppc64le architecture for now since grub2-emu
fails to build there.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-05-03 15:39:28 +02:00
Tim Landscheidt
af06f22ee4 Fix description of grub2-pc
Resolves: rhbz#1484298
2019-05-03 10:43:27 +02:00
Javier Martinez Canillas
8c44667ebf
Avoid grub2-efi package to overwrite existing /boot/grub2/grubenv file
The grub2-efi package create a /boot/grub2/grubenv symlink that points to
/boot/efi/EFI/fedora/grubenv that's where the real grubenv file is looked
up by GRUB on an EFI installation.

But currently if the grub2-efi is installed on a legacy BIOS install, it
will overwrite an existing /boot/grub2/grubenv file with a broken symlink.

So mark it as %config(noreplace) to avoid loosing an existing grubenv.

Resolves: rhbz#1687323

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-03-11 10:22:11 +01:00
Javier Martinez Canillas
11b49b804e
BLS support enhancements and some fixes
- Don't build the grub2-efi-ia32-* packages on i686 (pjones)
- Add efi-export-env and efi-load-env commands (pjones)
- Make it possible to subtract conditions from debug= (pjones)
- Try to set -fPIE and friends on libgnu.a (pjones)
- Add more options to blscfg command to make it more flexible
- Add support for prepend early initrds to the BLS entries
- Fix grub.cfg-XXX look up when booting over TFTP

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-02-04 19:28:49 +01:00
Peter Jones
db4a99687c Exclude /etc/grub.d/01_fallback_counting until we work through some design
questions.
  Resolves: rhbz#1614637

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-10-04 17:11:21 -04:00
Peter Jones
98536ecf37 Once more into the breach, dear friends.
- Limit grub_malloc() on x86_64 to < 31bit addresses, as some devices seem to
  have a colossally broken storage controller (or UEFI driver) that can't do
  DMA to higher memory addresses, but fails silently.
  Resolves: rhbz#1626844 (possibly really resolving it this time.)
- Also integrate Hans's attempt to fix the related error from -54, but do it
  the other way around: try the low addresses first and *then* the high one if
  the allocation fails.  This way we'll get low regions by default, and if
  kernel/initramfs don't fit anywhere, it'll try the higher addresses.
  Related: rhbz#1624532
- Coalesce all the intermediate debugging junk from -54/-55/-56.

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-09-11 18:08:44 -04:00
Peter Jones
5376ad0c95 Fix 'reboot' command
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-09-11 10:44:46 -04:00
Peter Jones
4892e6bea5 Temporarily make -cdboot files 0700 again.
We need to move these to /boot/efi/EFI/BOOT/ and change the perms at the same
time, but that means changing this, comps, and lorax (at least) at the same
time.  Right this minute isn't a good time to do that.

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-08-07 11:21:29 -04:00
Peter Jones
627591c8af Make -cdboot packages have file perms of 0755
This lets you use them for http(s) boot easier.

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-08-02 16:12:23 -04:00
Peter Jones
18694c1a36 Fix git commits after %configure
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-08-02 14:30:59 -04:00
Peter Jones
dbfd2e6b04 Make more stuff in our buildroot go into the git repo so I can grep it better.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-31 16:40:33 -04:00
Peter Jones
15a207211f Roll upstream's patches into one big patch here.
I don't really need to watch 150+ patches from upstream get applied.

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-31 10:57:52 -04:00
Peter Jones
8d563110da --with-utils=host
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-27 12:52:55 -04:00
Peter Jones
a45161331b Minor whitespace cleanup
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-27 12:48:09 -04:00
Peter Jones
da0e16c206 Fix autogen/autoconf invocation to actually re-make configure.
autogen.sh was running autoreconf, which *ran* configure but didn't actually
re-make it if it was there.  This means we effectively can't change our
configure invocation (for newer configure options), so that's bad.

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-27 12:43:35 -04:00
Peter Jones
1b55f4c84d Fix some lingering bls issues
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-17 16:46:37 -04:00
Peter Jones
ebe16ceeab Make a couple of commands be built differently.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-12 18:51:56 -04:00
Peter Jones
64626d2a22 Fix arm (32-bit) ABI specification.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-11 17:13:42 -04:00
Peter Jones
a52365a0df Port several fixes from the F28 tree and a WIP tree.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-11 16:49:50 -04:00
Peter Jones
dd0009ec4d Enable 32-bit ARM EFI builds.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-10 15:12:02 -04:00
Peter Jones
bf33524673 Minor permissions fixes
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-07-10 14:39:21 -04:00
Peter Jones
a8d8dcf190 A couple of fixes needed by Fedora Atomic - javierm
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-05-11 10:13:05 -04:00
Peter Jones
78e1a10ec4 Add grub2-switch-to-blscfg
Fix for BLS paths on BIOS / non-UEFI (javierm)

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-04-03 13:41:24 -04:00
Peter Jones
06b68a8c94 Build the blscfg module in on EFI builds.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-03-06 14:47:22 -05:00
Peter Jones
d51395ea7f Update our gcc nerfing.
- Only nerf annobin, not -fstack-crash-protection.
- Fix a conflict on /boot/efi directory permissions between -cdboot and the
  normal bootloader.

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-01-19 13:17:09 -05:00
Peter Jones
28076bb004 Nerf some new gcc 'features'
For now, completely nerf annobin and -fstack-clash-protection; at least
one of those things makes grubx64.efi crash on start.

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-01-18 18:23:41 -05:00
Peter Jones
a91fed7f66 Fix some efi modules bugs
- Fix grub2-efi-modules provides/obsoletes generation
  Resolves: rhbz#1506704
- *Also* build grub-efi-ia32{,-*,!-modules} packages for i686 builds
  Resolves: rhbz#1502312

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-01-18 14:14:19 -05:00
Peter Jones
8cceee7ebe Make everything under /boot/efi be mode 0700, since that's what FAT will
show anyway.

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-01-18 14:12:52 -05:00