Disable annobin stack check since grub's initialization code doesn't
support it.
Resolves: RHEL-89464
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
Besides re-introducing the annobin sed replacements, it fixes
duplicate '-fstack-protector-strong' flags and remove the sed
replacement '-fno-stack-protector' as it has no effect.
Resolves: #RHEL-89464
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
Besides enabling the strong stack protector flag, it also removes the
sed empty replacements for annobin, so now most binaries include the
annobin section, required by the CI annocheck tool.
Resolves: #RHEL-89464
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
UKI(package is kernel-uki-virt) is a single, bootable file that
bundles everything needed to start a Linux system. It contains its own
bootable stub and bypasses GRUB2 completely. The kernel-core and
kernel-uki-virt can coexist in one machine. And both of them call
kernel-install remove <kversion> upon package removal and this leads
to the complete removal of both the traditional kernel & its
artifacts(initramfs, BLS entry file,...). For example, if the customer
remove kernel-uki-virt, currently it also removes BLS entry which
causes the regular kernel fails to boot up. In
https://github.com/systemd/systemd/pull/37897 it added
--entry-type=type1|type2 option to kernel-install. type1 stands for
normal kernel, type2 stands for uki. When kernel-install is invoked
with --entry-type=type2 which is for UKI, we should not remove the BLS
entry.
Resolves: #RHEL-104167
Signed-off-by: Yuxin Sun <yuxisun@redhat.com>
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
A temporal workaround while a real fix is being elaborated.
Resolves: #RHEL-97086
Signed-off-by: Gerd Hoffman <ghoffman@redhat.com>
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
The removed patch was part of the CVE patches ported recently into RHEL but
is causing segfaults on dual boot (Windows & RHEL) systems when generating the
grub configuration with the grub2-mkconfig tool. At some point the same patch
will come back with the corresponding fix but for the time being, it is removed.
Related: RHEL-80686
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
Xen PV and PVH guest use direct kernel boot and may use 'pygrub' tool to
parse guest's grub config. The tool is incompatible with BLS and thus
99-grub-mkconfig.install disables it. The problem is observed with HVM
guests which are 'normal' VMs and don't require pygrub compatibility. E.g.
legacy AWS instance types are of this kind. Disabling BLS for them is
undesired and unjustified. Luckily, kernel driver for Xen provides
'/sys/hypervisor/guest_type' interface telling us which type of guest are
we running in.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Compared to previous commit, this is a better approach to handle SPCR null base
address indicating no redirection, doing the null check on the caller instead of
the callee.
Resolves: #RHEL-68622
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
Resolves: #RHEL-59557
Signed-off-by: Michal Sekletar <msekleta@redhat.com>
Reviewed-by: Leo Sandoval <lsandova@redhat.com>
Reviewed-by: Marta Lewandowska <mlewando@redhat.com>
Fix the rpm verificaton issues. On the other hand, 2.06-121 [1]
introduced a change on grub2-mkconfig where it prevents overwritting
`${EFI_HOME}/grub.cfg` with side effects on the `%posttrans`
scriptlet, where it tries to recreate it in case this file does not
exist but due to [1] the `${EFI}/grub.cfg` file would never be
created. Fix the `%posttrans` code with the logic but applied to
${GRUB_HOME}/grub.cfg. On the same scriplet, make sure
${EFI_HOME}/grub.cfg is present before grepping into it.
[1] https://pkgs.devel.redhat.com/cgit/rpms/grub2/commit/?h=rhel-10-main&id=9c6e5cf6c8e597efbf6a10399371789fddafac12
Resolves: #RHEL-56918
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
