import tboot-1.10.5-2.el9

SPECS/tboot.spec

@@ -1,7 +1,7 @@
 Summary:        Performs a verified launch using Intel TXT
 Name:           tboot
 Version:        1.10.5
-Release:        1%{?dist}
+Release:        2%{?dist}
 Epoch:          1
 
 License:        BSD
@@ -33,16 +33,41 @@ LDFLAGS="%{build_ldflags}"; export LDFLAGS
 make debug=y %{?_smp_mflags}
 
 %post
-efidir=$(find /boot -type d -name EFI)
-if [ -n "$efidir" ]; then
+# Rmove the grub efi modules if they had been placed in the wrong directory by
+# a previous install.
+[ -d /boot/efi/EFI/redhat/x86_64-efi ] && rm -rf /boot/efi/EFI/redhat/x86_64-efi
+# create the tboot grub entry
+grub2-mkconfig -o /boot/grub2/grub.cfg
+
+# For EFI based machines ...
+if [ -d /sys/firmware/efi ]; then
 	echo "EFI detected .."
-	mkdir -pv /boot/efi/EFI/redhat/x86_64-efi
-	cp -vf /usr/lib/grub/x86_64-efi/relocator.mod /boot/efi/EFI/redhat/x86_64-efi/
-	cp -vf /usr/lib/grub/x86_64-efi/multiboot2.mod /boot/efi/EFI/redhat/x86_64-efi/
-	gcfg=$(find /boot -name grub.cfg -print -quit)
-	[ -n "$gcfg" ] && grub2-mkconfig -o "$gcfg"
+	[ -d /boot/grub2/x86_64-efi ] || mkdir -pv /boot/grub2/x86_64-efi
+	cp -vf /usr/lib/grub/x86_64-efi/relocator.mod /boot/grub2/x86_64-efi/
+	cp -vf /usr/lib/grub/x86_64-efi/multiboot2.mod /boot/grub2/x86_64-efi/
+
+	# If there were a previous install of tboot that overwrote the
+	# originally installed /boot/efi/EFI/redhat/grub.cfg stub, then
+	# recreate it.
+	if grep -q -m1 tboot /boot/efi/EFI/redhat/grub.cfg; then
+cat << EOF > /boot/efi/EFI/redhat/grub.cfg
+search --no-floppy --fs-uuid --set=dev \
+	$(lsblk -no UUID $(df -P /boot/grub2 | awk 'END{print $1}'))
+set prefix=(\$dev)/grub2
+export \$prefix
+configfile \$prefix/grub.cfg
+EOF
+		chown root:root /boot/efi/EFI/redhat/grub.cfg
+		chmod u=rwx,go= /boot/efi/EFI/redhat/grub.cfg
+	fi
 fi
 
+%postun
+# Remove residual grub efi modules.
+[ -d /boot/grub2/x86_64-efi ] && rm -rf /boot/grub2/x86_64-efi
+[ -d /boot/efi/EFI/redhat/x86_64-efi ] && rm -rf /boot/efi/EFI/redhat/x86_64-efi
+grub2-mkconfig -o /etc/grub2.cfg
+
 %install
 make debug=y DISTDIR=$RPM_BUILD_ROOT install
 
@@ -70,6 +95,21 @@ make debug=y DISTDIR=$RPM_BUILD_ROOT install
 /boot/tboot-syms
 
 %changelog
+* Thu Aug 18 2022 Tony Camuso <tcamuso@redhat.com> - 1:1.10.5-2
+- The install scriptlet in %post was choosing the first grub.cfg
+  file it encountered, which was /boot/efi/EFI/redhat/grub.cfg.
+  This is a stub that defines grub boot disk UUID necessary for
+  proper grubenv setup, and it must not be overwritten or changed.
+  Modify the scriptlet to target /boot/grub2/grub.cfg
+  Additionally, remove any wrongly created /boot/grub2/x86_64-efi
+  directory and recreate the correct /boot/efi/EFI/redhat/grub.cfg
+  stub file.
+  Added a %postun section to cleanup when removing tboot with
+  dnf erase.
+  Thanks to Lenny Szubowicz for the bash code to recreate the
+  /boot/efi/EFI/redhat/grub.cfg stub file.
+  Resolves: rhbz#2112236
+
 * Wed May 04 2022 Tony Camuso <tcamuso@redhat.com> - 1:1.10.5-1
 - Upgrade to tboot-1.10.5-1 for fixes and updates.
 - Added a Requires line to install grub2-efi-x64-modules