Commit Graph

131 Commits

Author SHA1 Message Date
Robbie Harwood
f0ad2aaa26 CVE fixes for 2022-05-24
Resolves: CVE-2022-28736 CVE-2022-28735 CVE-2022-28734 CVE-2022-28733
Resolves: CVE-2021-3697 CVE-2021-3696 CVE-2021-3695
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-06-03 13:54:45 -04:00
Robbie Harwood
a44a6377ed ppc64le: make ofdisk retries optional
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-05-16 21:15:56 +00:00
Robbie Harwood
ea7cfdf726 Fix missing declaration of strchrnul in rpm-sort
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-05-05 22:14:21 +00:00
Robbie Harwood
d15d46b0e4 ppc64le: CAS improvements, prefix detection, and vTPM support
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-05-04 18:00:02 +00:00
Robbie Harwood
bd73b85ea3 Switch to upstream man pages
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-03-31 21:21:43 +00:00
Adam Williamson
5e72956199 Revert "Use my sort patch instead", fix BLS ostree detection
This reverts commit 93004a8494,
because it broke Rawhide. It also tries to fixes BLS ostree
detection to work in chroots (e.g. during installation) by also
checking for /ostree/repo.
2022-03-22 18:32:24 -07:00
Robbie Harwood
93004a8494 Use my sort patch instead
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-03-21 17:54:55 +00:00
Robbie Harwood
90dacf59d0 Don't verify kernels twice
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-03-18 18:33:12 +00:00
Robbie Harwood
9a30e00fc0 Fix initialization in efidisk patch
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-03-09 16:50:45 +00:00
Robbie Harwood
e82a4fd034 Add efidisk/connectefi patches
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-24 22:03:20 +00:00
Robbie Harwood
8a74d28ac8 Life is pain, but especially when it's gnulib
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-24 13:25:56 -05:00
Robbie Harwood
357489e3ea Add location of DejaVu Sans font
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-01-18 19:46:15 +00:00
Robbie Harwood
e602a0629d Update patches; minor changes at most, if correct
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-01-17 18:09:27 -05:00
Robbie Harwood
b256068060 btrfs: use full bootloader area
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-01-06 17:42:54 +00:00
Robbie Harwood
d90546c5ee restore umask for grub.cfg (CVE-2021-3981)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2021-12-09 11:11:30 -05:00
Robbie Harwood
9fdaa794e0 Drop UI patches and update provenance information
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2021-11-04 12:30:16 -04:00
Robbie Harwood
07cf41c169 fs/xfs: Fix unreadable filesystem with v4 superblock
While we're here, also: check for the PE magic for the compiled arch

Resolves: rhbz#2008819
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2021-09-29 12:12:55 -04:00
Javier Martinez Canillas
1f9e8074ae
A few fixes for ppc64le LPAR Secure Boot support
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-08-30 16:55:22 +02:00
Peter Jones
702732583b Fix aarch64 kernel alignment.
Signed-off-by: Peter Jones <pjones@redhat.com>
2021-08-24 11:24:20 -04:00
Javier Martinez Canillas
67f07b7c9e
Another set of fixes for 2.06
- Add luks2 to GRUB_MODULES
- 20-grub-install: Create a symvers.gz symbolic link
- 20-grub-install: Always use fedora as the boot entry --class
  Resolves: rhbz#1957014
- grub.macros: Install font in /boot/grub2 instead of the ESP
  Resolves: rhbz#1739762
- grub.macros: Use consistent file mode for legacy and EFI
  Resolves: rhbz#1965794
- Drop grub2 prelink configuration
  Resolves: rhbz#1659675
- Remove triggers needed to upgrade from legacy GRUB
- Don't harcode grub2 in the spec file
- Update to unifont-13.0.06
  Resolves: rhbz#1939125
- 20-grub-install: Use relative paths for btrfs in BLS snippets
  Resolves: rhbz#1906191
- Don't update the cmdline when generating legacy menuentry commands
- Suppress gettext error message
  Resolves: rhbz#1592124
- grub-boot-success.timer: Only run if not in a container
  Resolves: rhbz#1914571
- grub-set-password: Always use /boot/grub2/user.cfg as password default
  Resolves: rhbz#1955294
- Remove outdated URL for BLS document
  Resolves: rhbz#1926453
- templates: Check for EFI at runtime instead of config generation time
  Resolves: rhbz#1823864
- efi: Print an error if boot to firmware setup is not supported
  Resolves: rhbz#1823864

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-07-06 11:18:04 +02:00
Javier Martinez Canillas
13985b0e4c
Update to 2.06 final release and ton of fixes
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-06-14 11:11:36 +02:00
Javier Martinez Canillas
e91046d264
Add XFS needsrepair support
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-05-03 17:26:40 +02:00
Javier Martinez Canillas
ddafa09a88
Find and claim more memory for ieee1275
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-04-23 11:30:55 +02:00
Javier Martinez Canillas
5ef95ecb65
Add XFS bigtime support
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-04-14 12:59:23 +02:00
Javier Martinez Canillas
46968b6e63
Update to 2.06~rc1 to fix a bunch of CVEs
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-03-15 10:13:33 +01:00
Javier Martinez Canillas
89b6faf012
Fix config file generation failing due invalid petitboot version value
Resolves: rhbz#1921479

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-03-11 13:15:37 +01:00
Javier Martinez Canillas
3b8cfc9cf6
Fix keyboards that report IBM PC AT scan codes
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-03-05 11:37:24 +01:00
Javier Martinez Canillas
c65a33ebca
Switch EFI users to new config and fix ESC no longer showing the menu
Resolves: rhbz#1918817
Resolves: rhbz#1928595

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-02-22 20:50:22 +01:00
Javier Martinez Canillas
b141171629
Appended signatures support, unify GRUB config location and some fixes
- Remove -fcf-protection compiler flag to allow i386 builds (law)
  Related: rhbz#1915452
- Unify GRUB configuration file location across all platforms
  Related: rhbz#1918817
- Add 'at_keyboard_fallback_set' var to force the set manually (rmetrich)
- Add appended signatures support for ppc64le LPAR Secure Boot (daxtens)

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-02-09 01:04:42 +01:00
Javier Martinez Canillas
f9736ec085
at_keyboard: use set 1 when keyboard is in Translate mode
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-01-12 17:01:31 +01:00
Javier Martinez Canillas
d84350c121
Add DNF protected.d fragments and pull a few fixes and enhancements
- Add DNF protected.d fragments for GRUB packages
  Resolves: rhbz#1874541
- Include keylayouts and at_keyboard modules in EFI builds
- Add GRUB enhanced debugging features
- ieee1275: Avoiding many unecessary open/close
- ieee1275: device mapper and fibre channel discovery support
- Fix tps-rpmtest failing due /boot/grub2/grubenv attributes mismatch

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-12-31 16:17:43 +01:00
Javier Martinez Canillas
f7e054f3d6
Roll over TFTP block counter to prevent timeouts with data packets
Resolves: rhbz#1869335

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-08-31 14:19:03 +02:00
Javier Martinez Canillas
ae1167a78d
Set TFTP blocksize to 1428 instead of 2048 to avoid IP fragmentation
Resolves: rhbz#1869335

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-08-21 15:59:56 +02:00
Javier Martinez Canillas
cc2f966c55
Fix TFTP timeouts when trying to fetch files larger than 65535 KiB
Resolves: rhbz#1869335

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-08-21 12:56:15 +02:00
Javier Martinez Canillas
db0149e860
Add support for "systemctl reboot --boot-loader-menu=xx"
Related: rhbz#1857389

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-08-12 14:43:54 +02:00
Peter Jones
47cf63735c "Minor" bug fixes
Resolves: CVE-2020-10713
Resolves: CVE-2020-14308
Resolves: CVE-2020-14309
Resolves: CVE-2020-14310
Resolves: CVE-2020-14311
Resolves: CVE-2020-15705
Resolves: CVE-2020-15706
Resolves: CVE-2020-15707

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-08-10 22:02:39 -04:00
Javier Martinez Canillas
51e876849c
Only mark GRUB as BLS supported in OSTree systems with a boot partition
OSTree doesn't support installations that don't have a boot partition. The
BLS snippets assume that there will be one, so this has to be checked and
only mark GRUB as supporting BLS in OSTree systems have a boot partition.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-06-18 17:18:11 +02:00
Javier Martinez Canillas
9f83bf2258
Fix build with rpm-4.16 and a HTTP boot issue with relative paths
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-06-08 10:15:55 +02:00
Javier Martinez Canillas
098a8a9e99
Fix an out of memory error when loading large initrd images
Resolves: rhbz#1838633

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-05-26 18:09:54 +02:00
Javier Martinez Canillas
7fb7a6a7a5
Don't update BLS files that aren't managed by GRUB scripts
Resolves: rhbz#1837783

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-05-20 14:21:29 +02:00
Javier Martinez Canillas
68246dd736
Only enable the tpm module for EFI platforms
The module is only built for EFI, so don't enable it for other platforms.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-05-18 13:26:28 +02:00
Javier Martinez Canillas
4cf8c08cf7
Enable tpm module and make system to boot even if TPM measurements fail
Since GRUB 2.04 there is support for TPM measurements in a tpm module that
uses the verifiers framework. So this is used now instead of the previous
downstream patches that we were carrying.

But we forgot to enable this module when rebasing to 2.04 which leads to
GRUB no longer measuring the kernel, initrd and command line parameters.

One side effect of using the verifiers framework is that if measurements
fail, GRUB won't be able to open the files since the errors from the tpm
module are propagated. This means that a firmware with a buggy tpm support
will prevent the machine to boot, which was not the case with the previous
downstream patches. Don't propagate the measurement errors to prevent this.

Resolves: rhbz#1836433

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-05-18 10:19:45 +02:00
Adam Williamson
4ff1f12e40 10_linux.in: restore existence check in get_sorted_bls 2020-05-14 18:02:26 -07:00
Javier Martinez Canillas
4a742183a3
Store cmdline in BLS snippets instead of using a grubenv variable
The kernel cmdline was stored as a kernelopts variable in the grubenv file
and the BLS snippets used that. But this turned out to be fragile since the
grubenv file could be removed or get corrupted easily.

To prevent the entries to not have a cmdline if the grubenv can't be read,
a fallback variable was set in the GRUB config file. But this still caused
issues since the config needs to be re-generated to change the parameters.

Instead, let's store the cmdline in the BLS snippets. This will make the
configuration more robust, since it will work even without the grubenv
file and the BLS entries will contain all the information needed to boot.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-05-13 20:03:20 +02:00
Javier Martinez Canillas
107dc9a693
Fix a segfault in grub2-editenv when attempting to shrink a variable
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-05-12 20:17:50 +02:00
Javier Martinez Canillas
b914a7e168
Fix bugs in the blscfg module and in the 10_linux script for ppc64le
blscfg: Lookup default_kernelopts variable as fallback for options
  Related: rhbz#1765297
10_linux.in: fix early exit due error when reading petitboot version
  Resolves: rhbz#1827397

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-04-30 15:55:52 +02:00
Javier Martinez Canillas
b28e5aa886
efi: Set image base address before jumping to the PE/COFF entry point
Resolves: rhbz#1825411

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-04-23 21:35:17 +02:00
Javier Martinez Canillas
5b188159a7
Make the grub-switch-to-blscfg and 10_linux scripts more robust
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-04-16 21:42:23 +02:00
Javier Martinez Canillas
7509e59c4a
Drop 10_linux_bls and avoid corner case of blsdir set with ostree
The logic to parse the BLS configs to generate a set of menuentry commands
that's needed on ppc64le machines with bootloaders that don't have support
to parse BLS config directly, was implemented in a 10_linux_bls script.

But there's no need to have a separate script just for this and this logic
can be merged into the 10_linux script to avoid code duplication.

Also since the blscfg module will also now be used by ostree-based distros
there is a possible corner case in which a user set the blsdir variable to
a BLS directory path that is different than the default used by ostree.

So to avoid possible issues, only drop the marker file to specify that the
bootloader has support to parse BLS files if this variable hasn't been set.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-04-02 14:44:30 +02:00
Javier Martinez Canillas
7c2bab5e98
grub-switch-to-blscfg: Update grub2 binary in ESP for OSTree systems
Related: rhbz#1751272

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-03-26 18:30:49 +01:00