Commit Graph

103 Commits

Author SHA1 Message Date
Javier Martinez Canillas
b141171629
Appended signatures support, unify GRUB config location and some fixes
- Remove -fcf-protection compiler flag to allow i386 builds (law)
  Related: rhbz#1915452
- Unify GRUB configuration file location across all platforms
  Related: rhbz#1918817
- Add 'at_keyboard_fallback_set' var to force the set manually (rmetrich)
- Add appended signatures support for ppc64le LPAR Secure Boot (daxtens)

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-02-09 01:04:42 +01:00
Javier Martinez Canillas
f9736ec085
at_keyboard: use set 1 when keyboard is in Translate mode
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-01-12 17:01:31 +01:00
Javier Martinez Canillas
d84350c121
Add DNF protected.d fragments and pull a few fixes and enhancements
- Add DNF protected.d fragments for GRUB packages
  Resolves: rhbz#1874541
- Include keylayouts and at_keyboard modules in EFI builds
- Add GRUB enhanced debugging features
- ieee1275: Avoiding many unecessary open/close
- ieee1275: device mapper and fibre channel discovery support
- Fix tps-rpmtest failing due /boot/grub2/grubenv attributes mismatch

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-12-31 16:17:43 +01:00
Javier Martinez Canillas
f7e054f3d6
Roll over TFTP block counter to prevent timeouts with data packets
Resolves: rhbz#1869335

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-08-31 14:19:03 +02:00
Javier Martinez Canillas
ae1167a78d
Set TFTP blocksize to 1428 instead of 2048 to avoid IP fragmentation
Resolves: rhbz#1869335

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-08-21 15:59:56 +02:00
Javier Martinez Canillas
cc2f966c55
Fix TFTP timeouts when trying to fetch files larger than 65535 KiB
Resolves: rhbz#1869335

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-08-21 12:56:15 +02:00
Javier Martinez Canillas
db0149e860
Add support for "systemctl reboot --boot-loader-menu=xx"
Related: rhbz#1857389

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-08-12 14:43:54 +02:00
Peter Jones
47cf63735c "Minor" bug fixes
Resolves: CVE-2020-10713
Resolves: CVE-2020-14308
Resolves: CVE-2020-14309
Resolves: CVE-2020-14310
Resolves: CVE-2020-14311
Resolves: CVE-2020-15705
Resolves: CVE-2020-15706
Resolves: CVE-2020-15707

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-08-10 22:02:39 -04:00
Javier Martinez Canillas
51e876849c
Only mark GRUB as BLS supported in OSTree systems with a boot partition
OSTree doesn't support installations that don't have a boot partition. The
BLS snippets assume that there will be one, so this has to be checked and
only mark GRUB as supporting BLS in OSTree systems have a boot partition.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-06-18 17:18:11 +02:00
Javier Martinez Canillas
9f83bf2258
Fix build with rpm-4.16 and a HTTP boot issue with relative paths
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-06-08 10:15:55 +02:00
Javier Martinez Canillas
098a8a9e99
Fix an out of memory error when loading large initrd images
Resolves: rhbz#1838633

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-05-26 18:09:54 +02:00
Javier Martinez Canillas
7fb7a6a7a5
Don't update BLS files that aren't managed by GRUB scripts
Resolves: rhbz#1837783

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-05-20 14:21:29 +02:00
Javier Martinez Canillas
68246dd736
Only enable the tpm module for EFI platforms
The module is only built for EFI, so don't enable it for other platforms.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-05-18 13:26:28 +02:00
Javier Martinez Canillas
4cf8c08cf7
Enable tpm module and make system to boot even if TPM measurements fail
Since GRUB 2.04 there is support for TPM measurements in a tpm module that
uses the verifiers framework. So this is used now instead of the previous
downstream patches that we were carrying.

But we forgot to enable this module when rebasing to 2.04 which leads to
GRUB no longer measuring the kernel, initrd and command line parameters.

One side effect of using the verifiers framework is that if measurements
fail, GRUB won't be able to open the files since the errors from the tpm
module are propagated. This means that a firmware with a buggy tpm support
will prevent the machine to boot, which was not the case with the previous
downstream patches. Don't propagate the measurement errors to prevent this.

Resolves: rhbz#1836433

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-05-18 10:19:45 +02:00
Adam Williamson
4ff1f12e40 10_linux.in: restore existence check in get_sorted_bls 2020-05-14 18:02:26 -07:00
Javier Martinez Canillas
4a742183a3
Store cmdline in BLS snippets instead of using a grubenv variable
The kernel cmdline was stored as a kernelopts variable in the grubenv file
and the BLS snippets used that. But this turned out to be fragile since the
grubenv file could be removed or get corrupted easily.

To prevent the entries to not have a cmdline if the grubenv can't be read,
a fallback variable was set in the GRUB config file. But this still caused
issues since the config needs to be re-generated to change the parameters.

Instead, let's store the cmdline in the BLS snippets. This will make the
configuration more robust, since it will work even without the grubenv
file and the BLS entries will contain all the information needed to boot.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-05-13 20:03:20 +02:00
Javier Martinez Canillas
107dc9a693
Fix a segfault in grub2-editenv when attempting to shrink a variable
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-05-12 20:17:50 +02:00
Javier Martinez Canillas
b914a7e168
Fix bugs in the blscfg module and in the 10_linux script for ppc64le
blscfg: Lookup default_kernelopts variable as fallback for options
  Related: rhbz#1765297
10_linux.in: fix early exit due error when reading petitboot version
  Resolves: rhbz#1827397

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-04-30 15:55:52 +02:00
Javier Martinez Canillas
b28e5aa886
efi: Set image base address before jumping to the PE/COFF entry point
Resolves: rhbz#1825411

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-04-23 21:35:17 +02:00
Javier Martinez Canillas
5b188159a7
Make the grub-switch-to-blscfg and 10_linux scripts more robust
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-04-16 21:42:23 +02:00
Javier Martinez Canillas
7509e59c4a
Drop 10_linux_bls and avoid corner case of blsdir set with ostree
The logic to parse the BLS configs to generate a set of menuentry commands
that's needed on ppc64le machines with bootloaders that don't have support
to parse BLS config directly, was implemented in a 10_linux_bls script.

But there's no need to have a separate script just for this and this logic
can be merged into the 10_linux script to avoid code duplication.

Also since the blscfg module will also now be used by ostree-based distros
there is a possible corner case in which a user set the blsdir variable to
a BLS directory path that is different than the default used by ostree.

So to avoid possible issues, only drop the marker file to specify that the
bootloader has support to parse BLS files if this variable hasn't been set.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-04-02 14:44:30 +02:00
Javier Martinez Canillas
7c2bab5e98
grub-switch-to-blscfg: Update grub2 binary in ESP for OSTree systems
Related: rhbz#1751272

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-03-26 18:30:49 +01:00
Javier Martinez Canillas
904d351ffd
Fix for entries having an empty initrd command and HTTP boot issues
Resolves: rhbz#1806022

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-03-17 19:04:44 +01:00
Javier Martinez Canillas
fbe5a8c26a
A bunch of RISC-V build fixes and some cleanups
- Add riscv64 support to grub.macros and RISC-V build fixes (davidlt)
- blscfg: Always use the root variable to search for BLS snippets
- bootstrap.conf: Force autogen.sh to use python3

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-01-16 16:01:15 +01:00
Javier Martinez Canillas
89bc295877
Make blscfg to support the GRUB_SAVEDEFAULT option
This option was not supported on a BLS configuration.

Resolves: rhbz#1704926

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-01-13 19:54:14 +01:00
Javier Martinez Canillas
3f3dfd4006
A couple BLS fixes and various grub2 cleanups
- Various grub2 cleanups (pbrobinson)
- Another fix for blscfg variable expansion support
- blscfg: Add support for sorting the plus ('+') higher than base version
  Resolves: rhbz#1767395

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-12-05 17:21:27 +01:00
Javier Martinez Canillas
5db4bc774e
Fix a grub hidden-menu regression and a bug in blscfg variable expansion
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-11-27 12:12:44 +01:00
Javier Martinez Canillas
eeeca9c900
grub-set-bootflag: Write new env to tmpfile and then rename
Resolves: CVE-2019-14865
Resolves: rhbz#1776580

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-11-26 11:43:57 +01:00
Javier Martinez Canillas
d3ceae4bfd
Some BLS cleanups and fixes
- 20-grub-install: Don't add an id field to generated BLS snippets
- 99-grub-mkconfig: Disable BLS usage for Xen machines
  Resolves: rhbz#1703700
- Don't add a class option to menu entries generated for ppc64le
  Resolves: rhbz#1758225
- 10_linux.in: Also use GRUB_CMDLINE_LINUX_DEFAULT to set kernelopts
- blscfg: Don't hardcode an env var as fallback for the BLS options field
  Resolves: rhbz#1710483

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-10-17 13:41:17 +02:00
Javier Martinez Canillas
be6e591e0f
Add BLS devicetree support and a couple of RISC-V fixes
- A couple of RISC-V fixes
- Remove grub2-tools %%posttrans scriptlet that migrates to a BLS config
- Add blscfg device tree support
  Resolves: rhbz#1751307

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-09-18 10:01:25 +02:00
Javier Martinez Canillas
e1531466e1
Update to grub 2.04
This change updates grub to the 2.04 release. The new release changed how
grub is built, so the bootstrap and bootstrap.conf files have to be added
to the dist-git. Also, the gitignore file changed so it has to be updated.

Since the patches have been forward ported to 2.04, there's no need for a
logic to maintain a patch with the delta between the release and the grub
master branch. So the release-to-master.patch is dropped and no longer is
updated by the do-rebase script.

Also since gnulib isn't part of the grub repository anymore and cloned by
the boostrap tool, a gnulib tarball is included as other source file and
copied before calling the bootstrap tool. That way grub can be built even
in builders that only have access to the sources lookaside cache.

Resolves: rhbz#1727279

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-08-15 08:04:53 +02:00
Javier Martinez Canillas
7e98da058f
Cleanup our patchset to reduce the number of patches
This change reorganizes and cleanups our patches to reduce the patch number
from 314 patches to 187. That's achieved by dropping patches that are later
reverted and squashing fixes for earlier patches that introduced features.

There are no code changes and the diff with upstream is the same before and
after the cleanup. Having fewer patches makes easier to manage the patchset
and also will ease to rebase them on top of the latest grub-2.04 release.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-07-16 12:30:06 +02:00
Javier Martinez Canillas
18d67626ee
Enable again multiboot and multiboot2 modules on EFI builds
Building the multiboot and multiboot2 modules was disabled for EFI builds.
But that made the menu entries created by the Xen package to stop working
since they use the multiboot2 module.

The modules were disabled modules because they can be used to bypass the
Secure Boot mechanism. But it's enough to not include these modules in the
grub2 EFI binary that's signed, which is the case already in the grub2 pkg.

Having them as modules if the user installs the grub2-efi-x64-modules is
a valid use case. And since module loading isn't allowed when Secure Boot
is enabled, it doesn't represent any security threat.

Resolves: rhbz#1703872

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-07-15 12:12:17 +02:00
Javier Martinez Canillas
f2b28b651f
Some fixes mostly for ARM
Fix failure to request grub.cfg over HTTP
Some ARM fixes (pbrobinson)
Preserve multi-device workflows (Yclept Nemo)

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-07-06 15:16:40 +02:00
Javier Martinez Canillas
04d38248e3
A set of fixes mostly BLS related
Fix --bls-directory option comment in grub2-switch-to-blscfg man page
  Resolves: rhbz#1714835
10_linux_bls: use '=' to separate --id argument due a Petitboot bug
grub-set-bootflag: Print an error if failing to read from grubenv
  Resolves: rhbz#1702354
10_linux: generate BLS section even if no kernels are found in /boot
10_linux: don't search for OSTree kernels

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-06-27 17:27:11 +02:00
Javier Martinez Canillas
d8cdcb3a21
Fix error messages wrongly being printed when executing blscfg command
Resolves: rhbz#1699761

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-05-15 12:28:06 +02:00
Javier Martinez Canillas
a9b371c2fb
Make blscfg module compatible at least up to the Fedora 19 GRUB core
The blscfg module isn't compatible with the GRUB core.img installed by any
release older than Fedora 21.

This is because the blscfg module calls to the grub_file_size() function to
check if the BLS file size is correct, but the struct grub_file used as the
parameter for this function changed in the GRUB version used in Fedora 21.

So the function returns a wrong file size due the .size field offset being
different in the older GRUB from Fedora 20 and earlier.

This is causing all the BLS files to be ignored due having a wrong size and
leading to GRUB menu not being populated on boot.

Related: rhbz#1652806

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-05-08 15:19:43 +02:00
Javier Martinez Canillas
a18e8e631d
Add grub2-emu subpackage
GRUB has an user-space program emulator that allows to parse config files
and execute boot entries using the kexec tool. Add a grub2-emu subpackage
to install the emulator.

The subpackage is disabled on ppc64le architecture for now since grub2-emu
fails to build there.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-05-03 15:39:28 +02:00
Javier Martinez Canillas
79551a59f5
Add 10_reset_boot_success to Makefile
This was missed when the script got added.

Related: rhbz#1701003

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-04-18 19:33:20 +02:00
Javier Martinez Canillas
62a05cdcd4
Some grub2-emu, HTTP boot and fallback fixes
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-04-18 11:57:05 +02:00
Javier Martinez Canillas
dd6e48876e
10_linux_bls: don't add --users option to generated menu entries
The generated menu entries have a --users $grub_users option but this will
fail on old versions of GRUB, since it expects the --users option argument
to either be a constant or a variable that has been set.

The latest GRUB version fix this but the GRUB core isn't updated on a GRUB
package update, so this will cause the entries to not be shown in the menu
after a system upgrade.

Since can cause issues and because the entries that weren't generated from
the BLS snippets didn't have the --users option either, just don't add it.

Resolves: rhbz#1693515

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-03-28 17:05:25 +01:00
Javier Martinez Canillas
88459565ec
A set of EFI fixes to support arm64 QCom UEFI firmwares
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-03-26 17:17:17 +01:00
Javier Martinez Canillas
c1ccaf8a0e
Fix some BLS snippets not being displayed in the GRUB menu
There was an error in the logic that stored the parsed BLS snippets in the
sorted linked list that is used to populate the GRUB boot menu entries.

Also add a fix found by coverity scan about a possible undefined behaviour
due grub_efi_status_t having the wrong type.

Resolves: rhbz#1691232

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-03-22 15:33:06 +01:00
Javier Martinez Canillas
242b306a29
Only set blsdir if /boot/loader/entries is in a btrfs or zfs partition
Commit bfc756f8d86 ("Set blsdir if the BLS directory path isn't one of the
looked up by default") attempted to set blsdir if /boot/loader/entries was
not the real path of the directory containing the BLS snippets. Which may
be the case if for example /boot/loader/entries is in a btrfs subvolume.

But in the case of ostree, /boot/loader is a symlink to the directory with
the entries for the current deployment. So with ostree the blsdir will be
wrongly set, since GRUB is able to follow the symlinks just fine. In fact,
it has to follow the symlink since otherwise GRUB will always use the BLS
files for the deployment that the symlink pointed out when blsdir was set.

So only set blsdir if /boot/loader/entries is in a btrfs or zfs partition.

Related: rhbz#1688453

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-03-20 16:54:35 +01:00
Javier Martinez Canillas
5d7e4540ed
Some BLS fixes
20-grub-install: Replace, rather than overwrite, the existing kernel (pjones)
  Resolves: rhbz#1642402
99-grub-mkconfig: Don't update grubenv generating entries on ppc64le
  Related: rhbz#1637875
blscfg: fallback to default_kernelopts if BLS option field isn't set
  Related: rhbz#1625124
grub-switch-to-blscfg: copy increment.mod for legacy BIOS and ppc64
  Resolves: rhbz#1652806

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-02-27 19:54:32 +01:00
Javier Martinez Canillas
f6d4ab8f83
Check if blsdir exists before attempting to get it's real path
Resolves: rhbz#1677415

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-02-15 18:22:18 +01:00
Javier Martinez Canillas
e3a408a521
A couple of fixes
Don't make grub_strtoull() print an error if no conversion is performed
  Resolves: rhbz#1674512
Set blsdir if the BLS directory path isn't one of the looked up by default
  Resolves: rhbz#1657240

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-02-13 13:41:46 +01:00
Javier Martinez Canillas
11b49b804e
BLS support enhancements and some fixes
- Don't build the grub2-efi-ia32-* packages on i686 (pjones)
- Add efi-export-env and efi-load-env commands (pjones)
- Make it possible to subtract conditions from debug= (pjones)
- Try to set -fPIE and friends on libgnu.a (pjones)
- Add more options to blscfg command to make it more flexible
- Add support for prepend early initrds to the BLS entries
- Fix grub.cfg-XXX look up when booting over TFTP

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-02-04 19:28:49 +01:00
Javier Martinez Canillas
4ff5f8dcef
Another set of BLS fixes
BLS files should only be copied by grub-switch-to-blscfg if BLS isn't set
  Related: rhbz#1638117
Fix get_entry_number() wrongly dereferencing the tail pointer
  Resolves: rhbz#1654936
Make grub2-mkconfig to honour GRUB_CMDLINE_LINUX in /etc/default/grub
  Resolves: rhbz#1637875

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2018-12-11 20:23:51 +01:00
Javier Martinez Canillas
1f092caba7
Drop two efinet patches that were causing issues and a bunch of other fixes
Add comments and revert logic changes in 01_fallback_counting
Remove quotes when reading ID value from /etc/os-release
  Related: rhbz#1650706
blscfg: expand grub_users before passing to grub_normal_add_menu_entry()
  Resolves: rhbz#1650706
Drop buggy downstream patch "efinet: retransmit if our device is busy"
  Resolves: rhbz#1649048
Make the menu entry users option argument to be optional
  Related: rhbz#1652434
10_linux_bls: add missing menu entries options
  Resolves: rhbz#1652434
Drop "Be more aggro about actually using the *configured* network device."
  Resolves: rhbz#1654388
Fix menu entry selection based on title
  Resolves: rhbz#1654936

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2018-12-01 03:28:36 +01:00