Compare commits

..

No commits in common. "c8" and "a8-beta" have entirely different histories.
c8 ... a8-beta

10 changed files with 55 additions and 103 deletions

6
.gitignore vendored
View File

@ -1,9 +1,3 @@
SOURCES/grub-2.02.tar.xz
SOURCES/redhatsecureboot301.cer
SOURCES/redhatsecureboot502.cer
SOURCES/redhatsecureboot601.cer
SOURCES/redhatsecureboot701.cer
SOURCES/redhatsecurebootca3.cer
SOURCES/redhatsecurebootca5.cer
SOURCES/theme.tar.bz2
SOURCES/unifont-5.1.20080820.pcf.gz

View File

@ -1,9 +1,3 @@
3d7eb6eaab28b88cb969ba9ab24af959f4d1b178 SOURCES/grub-2.02.tar.xz
4a07b56e28741884b86da6ac91f8f9929541a1e4 SOURCES/redhatsecureboot301.cer
3f94c47f1d08bacc7cb29bdd912e286b8d2f6fcf SOURCES/redhatsecureboot502.cer
039357ef97aab3e484d1119edd4528156f5859e6 SOURCES/redhatsecureboot601.cer
e89890ca0ded2f9058651cc5fa838b78db2e6cc2 SOURCES/redhatsecureboot701.cer
cf9230e69000076727e5b784ec871d22716dc5da SOURCES/redhatsecurebootca3.cer
e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer
cf0b7763c528902da7e8b05cfa248f20c8825ce5 SOURCES/theme.tar.bz2
87f8600ba24e521b5d20bdf6c4b71af8ae861e3a SOURCES/unifont-5.1.20080820.pcf.gz

View File

@ -1,27 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Leo Sandoval <lsandova@redhat.com>
Date: Thu, 19 Sep 2024 10:15:13 -0600
Subject: [PATCH] grub-mkconfig.in: turn off executable owner bit
Stricker permissions are required on the grub.cfg file, resulting in
at most 0600 owner's file permissions. This resolves conflicting
requirement permissions on grub2-pc package's grub2.cfg file.
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
---
util/grub-mkconfig.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index a1c00776d..573004915 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -317,7 +317,7 @@ and /etc/grub.d/* files or please file a bug report with
exit 1
else
# none of the children aborted with error, install the new grub.cfg
- oldumask=$(umask); umask 077
+ oldumask=$(umask); umask 177
cat ${grub_cfg}.new > ${grub_cfg}
umask $oldumask
rm -f ${grub_cfg}.new

View File

@ -90,10 +90,13 @@ case "$COMMAND" in
[[ -d "$BLS_DIR" ]] || mkdir -m 0700 -p "$BLS_DIR"
BLS_ID="${MACHINE_ID}-${KERNEL_VERSION}"
BLS_TARGET="${BLS_DIR}/${BLS_ID}.conf"
if [[ -f "${KERNEL_DIR}/bls.conf" ]]; then
cp -aT "${KERNEL_DIR}/bls.conf" "${BLS_TARGET}" || exit $?
else
mkbls "${KERNEL_VERSION}" \
"$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${KERNEL_DIR}")")" \
>"${BLS_TARGET}"
command -v restorecon &>/dev/null && restorecon -R "${BLS_TARGET}"
fi
LINUX="$(grep '^linux[ \t]' "${BLS_TARGET}" | sed -e 's,^linux[ \t]*,,')"
INITRD="$(grep '^initrd[ \t]' "${BLS_TARGET}" | sed -e 's,^initrd[ \t]*,,')"
@ -155,9 +158,8 @@ case "$COMMAND" in
if [[ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]] || [[ ! -f /sbin/new-kernel-pkg ]]; then
ARCH="$(uname -m)"
BLS_TARGET="${BLS_DIR}/${MACHINE_ID}-${KERNEL_VERSION}.conf"
BLS_FAKE_TARGET="${BLS_DIR}/ffffffffffffffffffffffffffffffff-${KERNEL_VERSION}.conf"
BLS_DEBUG="$(echo ${BLS_TARGET} | sed -e "s/${KERNEL_VERSION}/${KERNEL_VERSION}~debug/")"
rm -f "${BLS_TARGET}" "${BLS_DEBUG}" "${BLS_FAKE_TARGET}"
rm -f "${BLS_TARGET}" "${BLS_DEBUG}"
for i in vmlinuz System.map config zImage.stub dtb; do
rm -rf "/boot/${i}-${KERNEL_VERSION}"

10
SOURCES/99-grub-mkconfig.install Executable file → Normal file
View File

@ -9,22 +9,16 @@ ARCH=$(uname -m)
[[ -f /etc/default/grub ]] && . /etc/default/grub
# Can't assume a BLS capable bootloader on ppc64
if [[ x$GRUB_ENABLE_BLSCFG = xtrue &&
if [[ x$GRUB_ENABLE_BLSCFG != xfalse &&
$ARCH != "ppc64" && $ARCH != "ppc64le" ]]; then
exit 0
fi
COMMAND="$1"
grub_cfg=/boot/grub2/grub.cfg
if mountpoint -q /boot/efi; then
os_name=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/' -e 's/\"//g')
grub_cfg=/boot/efi/EFI/$os_name/grub.cfg
fi
case "$COMMAND" in
add|remove)
grub2-mkconfig --no-grubenv-update -o $grub_cfg >& /dev/null
grub2-mkconfig --no-grubenv-update -o /boot/grub2/grub.cfg >& /dev/null
;;
*)
;;

Binary file not shown.

View File

@ -285,7 +285,13 @@ Requires: %{name}-common = %{evr} \
Requires: %{name}-tools-minimal >= %{evr} \
Requires: %{name}-tools-extra = %{evr} \
Requires: %{name}-tools = %{evr} \
Requires: %{efi_esp_dir}/shim%%(echo %{1} | cut -d- -f2).efi \
Provides: %{name}-efi = %{evr} \
Provides: almalinux(grub2-sig-key) = 202303 \
%{expand:%%ifarch x86_64 \
Conflicts: shim-x64 <= 15.6-1.el8.alma \
Conflicts: shim-ia32 <= 15.6-1.el8.alma \
%%endif} \
%{?legacy_provides:Provides: %{name} = %{evr}} \
%{-o:Obsoletes: %{name}-efi < %{evr}} \
\
@ -540,7 +546,7 @@ install -D -m 700 unicode.pf2 \\\
$RPM_BUILD_ROOT%{efi_esp_dir}/fonts/unicode.pf2 \
${RPM_BUILD_ROOT}/%{_bindir}/%{name}-editenv \\\
${RPM_BUILD_ROOT}%{efi_esp_dir}/grubenv create \
ln -sf ../efi/EFI/%{efi_vendor}/grubenv \\\
ln -sf ../efi/EFI/%{efidir}/grubenv \\\
$RPM_BUILD_ROOT/boot/grub2/grubenv \
cd .. \
%{nil}
@ -589,15 +595,14 @@ install -d -m 0700 ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig \
touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub \
ln -sf ../default/grub \\\
${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub \
touch grub.cfg \
install -m 0600 grub.cfg ${RPM_BUILD_ROOT}/boot/%{name}/ \
touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg \
%{nil}
%define define_legacy_variant_files() \
%{expand:%%files %{1}} \
%defattr(-,root,root,-) \
%config(noreplace) %{_sysconfdir}/%{name}.cfg \
%ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg \
%ghost %config(noreplace) %attr(0700,root,root)/boot/%{name}/grub.cfg \
%dir %attr(0700,root,root)/boot/loader/entries \
%ifarch ppc64le \
%dir %{_libdir}/grub/%{2}/ \

View File

@ -588,4 +588,3 @@ Patch0587: 0587-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
Patch0588: 0588-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
Patch0589: 0589-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
Patch0590: 0590-fs-ntfs-Make-code-more-readable.patch
Patch0591: 0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch

View File

@ -1,3 +1,4 @@
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,3,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/
grub.rh,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com
grub.rh,2,Red Hat,grub2,@@RHEL_VERSION_RELEASE@@,mailto:secalert@redhat.com
grub.almalinux,2,AlmaLinux,grub2,@@VERSION_RELEASE@@,mail:security@almalinux.org

View File

@ -1,3 +1,7 @@
%global efi_vendor almalinux
%global efidir almalinux
%global efi_esp_dir /boot/efi/EFI/%{efidir}
%undefine _hardened_build
%global tarversion 2.02
@ -7,7 +11,7 @@
Name: grub2
Epoch: 1
Version: 2.02
Release: 160%{?dist}
Release: 156%{?dist}.alma.1
Summary: Bootloader with support for Linux, Multiboot and more
Group: System Environment/Base
License: GPLv3+
@ -24,31 +28,29 @@ Source6: gitignore
Source8: strtoull_test.c
Source9: 20-grub.install
Source12: 99-grub-mkconfig.install
Source13: redhatsecurebootca3.cer
Source14: redhatsecureboot301.cer
Source15: redhatsecurebootca5.cer
Source16: redhatsecureboot502.cer
Source17: redhatsecureboot601.cer
Source18: redhatsecureboot701.cer
Source13: almalinuxsecurebootca0.cer
Source19: sbat.csv.in
%include %{SOURCE1}
%if 0%{with_efi_arch}
%define old_sb_ca %{SOURCE13}
%define old_sb_cer %{SOURCE14}
%define old_sb_key redhatsecureboot301
%define sb_ca %{SOURCE15}
%define sb_cer %{SOURCE16}
%define sb_key redhatsecureboot502
%define old_sb_cer %{SOURCE13}
%define old_sb_key almalinuxsecurebootca0
%define sb_ca %{SOURCE13}
%define sb_cer %{SOURCE13}
%define sb_key almalinuxsecurebootca0
%endif
%ifarch ppc64le
%define old_sb_cer %{SOURCE17}
%define sb_cer %{SOURCE18}
%define sb_key redhatsecureboot702
%define old_sb_cer %{SOURCE13}
%define sb_cer %{SOURCE13}
%define sb_key almalinuxsecurebootca0
%endif
# AlmaLinux: keep upstream EVR for RHEL SBAT entry
%define rhel_version_release $(echo %{version}-%{release} | sed 's/\.alma.*//')
# generate with do-rebase
%include %{SOURCE2}
@ -166,7 +168,7 @@ This subpackage provides tools for support of all platforms.
mkdir grub-%{grubefiarch}-%{tarversion}
grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grubefiarch}-%{tarversion}/.gitignore
cp %{SOURCE4} grub-%{grubefiarch}-%{tarversion}/unifont.pcf.gz
sed -e "s,@@VERSION@@,%{version},g" -e "s,@@VERSION_RELEASE@@,%{version}-%{release},g" \
sed -e "s,@@VERSION@@,%{version},g" -e "s,@@VERSION_RELEASE@@,%{version}-%{release},g" -e "s,@@RHEL_VERSION_RELEASE@@,%{rhel_version_release},g" \
%{SOURCE19} > grub-%{grubefiarch}-%{tarversion}/sbat.csv
git add grub-%{grubefiarch}-%{tarversion}
%endif
@ -310,19 +312,6 @@ if [ "$1" = 2 ]; then
/sbin/grub2-switch-to-blscfg --backup-suffix=.rpmsave &>/dev/null || :
fi
%posttrans common
set -eu
GRUB_HOME=/boot/%{name}
if test -f ${GRUB_HOME}/grub.cfg; then
# make sure GRUB_HOME/grub.cfg has 600 permissions
GRUB_CFG_MODE=$(stat --format="%a" ${GRUB_HOME}/grub.cfg)
if ! test "${GRUB_CFG_MODE}" = "600"; then
chmod 0600 ${GRUB_HOME}/grub.cfg
fi
fi
%triggerun -- grub2 < 1:1.99-4
# grub2 < 1.99-4 removed a number of essential files in postun. To fix upgrades
# from the affected grub2 packages, we first back up the files in triggerun and
@ -354,6 +343,20 @@ if [ "$1" = 0 ]; then
/sbin/install-info --delete --info-dir=%{_infodir} %{_infodir}/%{name}-dev.info.gz || :
fi
%if 0%{with_efi_arch}
%posttrans %{package_arch}
if [ -d /sys/firmware/efi ] && [ ! -f %{efi_esp_dir}/grub.cfg ]; then
grub2-mkconfig -o %{efi_esp_dir}/grub.cfg || :
fi
%endif
%if 0%{with_alt_efi_arch}
%posttrans %{alt_package_arch}
if [ -d /sys/firmware/efi ] && [ ! -f %{efi_esp_dir}/grub.cfg ]; then
grub2-mkconfig -o %{efi_esp_dir}/grub.cfg || :
fi
%endif
%files common -f grub.lang
%dir %{_libdir}/grub/
%dir %{_datarootdir}/grub/
@ -523,21 +526,8 @@ fi
%endif
%changelog
* Wed Nov 13 2024 Leo Sandoval <lsandova@redhat.com> - 2.02-160
- Remove BLS fake config in case of kernel removal
- Resolves: #RHEL-4316
* Tue Nov 12 2024 Leo Sandoval <lsandova@redhat.com> - 2.02-159
- Fix default behavior when GRUB_ENABLE_BLSCFG is not present
- Resolves: #RHEL-4319
* Thu Sep 19 2024 Leo Sandoval <lsandova@redhat.com> - 2.02-158
- grub-mkconfig.in: turn off executable owner bit
- Resolves: #RHEL-58835
* Wed Aug 14 2024 Leo Sandoval <lsandova@redhat.com> - 2.02-157
- 20-grub-install: fix SELinux security type context for BLS
- Resolves: #RHEL-4395
* Wed Apr 10 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 2.02-156.alma.1
- Debrand for AlmaLinux
* Tue Feb 20 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.02-156
- fs/ntfs: OOB write fix