diff --git a/0063-Add-friendly-grub2-password-config-tool-985962.patch b/0063-Add-friendly-grub2-password-config-tool-985962.patch index fdb1d531de13dfe641edecb371f789159539d133..f7cbd0a352ecc51fb5b4c4c6e365323c6b636651 100644 --- a/0063-Add-friendly-grub2-password-config-tool-985962.patch +++ b/0063-Add-friendly-grub2-password-config-tool-985962.patch @@ -158,7 +158,7 @@ index 000000000..dd76f00fc +$0 prompts the user to set a password on the grub bootloader. The password +is written to a file named user.cfg. + -+Report bugs at https://bugzilla.openanolis.cn. ++Report bugs at https://bugzilla.redhat.com. +EOF +} + diff --git a/0069-Clean-up-grub-setpassword-documentation-1290799.patch b/0069-Clean-up-grub-setpassword-documentation-1290799.patch index 28e01d423a4f76ad3d29764c61b011dba6d6ebdb..65460befff66a43d0673e7ae11445f6ecdbd59ea 100644 --- a/0069-Clean-up-grub-setpassword-documentation-1290799.patch +++ b/0069-Clean-up-grub-setpassword-documentation-1290799.patch @@ -51,5 +51,5 @@ index fb9d3a3b6..c8c0fa419 100644 + -v, --version print the version information and exit + -o, --output_path put user.cfg in a user-selected directory - Report bugs at https://bugzilla.openanolis.cn. + Report bugs at https://bugzilla.redhat.com. EOF diff --git a/20-grub.install b/20-grub.install index 8c2a7dc9ba2c0e17cb1f50c65076da43419fccdb..40a437c3ebbf48017d7005c509b1478d52eac992 100755 --- a/20-grub.install +++ b/20-grub.install @@ -155,8 +155,9 @@ case "$COMMAND" in if [[ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]] || [[ ! -f /sbin/new-kernel-pkg ]]; then ARCH="$(uname -m)" BLS_TARGET="${BLS_DIR}/${MACHINE_ID}-${KERNEL_VERSION}.conf" + BLS_FAKE_TARGET="${BLS_DIR}/ffffffffffffffffffffffffffffffff-${KERNEL_VERSION}.conf" BLS_DEBUG="$(echo ${BLS_TARGET} | sed -e "s/${KERNEL_VERSION}/${KERNEL_VERSION}~debug/")" - rm -f "${BLS_TARGET}" "${BLS_DEBUG}" + rm -f "${BLS_TARGET}" "${BLS_DEBUG}" "${BLS_FAKE_TARGET}" for i in vmlinuz System.map config zImage.stub dtb; do rm -rf "/boot/${i}-${KERNEL_VERSION}" diff --git a/99-grub-mkconfig.install b/99-grub-mkconfig.install old mode 100644 new mode 100755 index b14fc82a377e73729ba608791cd82fc2b36be0e2..57e2cd21e0e388dd12585da1e6c1e1392bce79a9 --- a/99-grub-mkconfig.install +++ b/99-grub-mkconfig.install @@ -9,16 +9,22 @@ ARCH=$(uname -m) [[ -f /etc/default/grub ]] && . /etc/default/grub # Can't assume a BLS capable bootloader on ppc64 -if [[ x$GRUB_ENABLE_BLSCFG != xfalse && +if [[ x$GRUB_ENABLE_BLSCFG = xtrue && $ARCH != "ppc64" && $ARCH != "ppc64le" ]]; then exit 0 fi COMMAND="$1" +grub_cfg=/boot/grub2/grub.cfg +if mountpoint -q /boot/efi; then + os_name=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/' -e 's/\"//g') + grub_cfg=/boot/efi/EFI/$os_name/grub.cfg +fi + case "$COMMAND" in add|remove) - grub2-mkconfig --no-grubenv-update -o /boot/grub2/grub.cfg >& /dev/null + grub2-mkconfig --no-grubenv-update -o $grub_cfg >& /dev/null ;; *) ;; diff --git a/grub2.spec b/grub2.spec index 1ca9db805d6cb0fb0480cef339c685da9cd2458c..5fca4914788f712411cc81159a500d067db0d0ed 100644 --- a/grub2.spec +++ b/grub2.spec @@ -12,7 +12,7 @@ Name: grub2 Epoch: 1 Version: 2.02 -Release: 158%{anolis_release}%{?dist} +Release: 160%{anolis_release}%{?dist} Summary: Bootloader with support for Linux, Multiboot and more Group: System Environment/Base License: GPLv3+ @@ -29,23 +29,29 @@ Source6: gitignore Source8: strtoull_test.c Source9: 20-grub.install Source12: 99-grub-mkconfig.install +Source13: redhatsecurebootca3.cer +Source14: redhatsecureboot301.cer +Source15: redhatsecurebootca5.cer +Source16: redhatsecureboot502.cer +Source17: redhatsecureboot601.cer +Source18: redhatsecureboot701.cer Source19: sbat.csv.in %include %{SOURCE1} %if 0%{with_efi_arch} -%define old_sb_ca %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer -%define old_sb_cer %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer -%define old_sb_key anolisbootsigningcert -%define sb_ca %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer -%define sb_cer %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer -%define sb_key anolisbootsigningcert +%define old_sb_ca %{SOURCE13} +%define old_sb_cer %{SOURCE14} +%define old_sb_key redhatsecureboot301 +%define sb_ca %{SOURCE15} +%define sb_cer %{SOURCE16} +%define sb_key redhatsecureboot502 %endif %ifarch ppc64le -%define old_sb_cer %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer -%define sb_cer %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer -%define sb_key anolisbootsigningcert +%define old_sb_cer %{SOURCE17} +%define sb_cer %{SOURCE18} +%define sb_key redhatsecureboot702 %endif # generate with do-rebase @@ -166,7 +172,7 @@ mkdir grub-%{grubefiarch}-%{tarversion} grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grubefiarch}-%{tarversion}/.gitignore cp %{SOURCE4} grub-%{grubefiarch}-%{tarversion}/unifont.pcf.gz sed -e "s,@@VERSION@@,%{version},g" -e "s,@@VERSION_RELEASE@@,%{version}-%{release},g" \ - -e '/,Red Hat,/ s,\.anolis\.[0-9]\.[0-9],,g' %{SOURCE19} > grub-%{grubefiarch}-%{tarversion}/sbat.csv + %{SOURCE19} > grub-%{grubefiarch}-%{tarversion}/sbat.csv git add grub-%{grubefiarch}-%{tarversion} %endif %if 0%{with_alt_efi_arch} @@ -530,7 +536,7 @@ fi %endif %changelog -* Tue Nov 12 2024 Bo Ren - 2.02-158.0.1 +* Tue Dec 24 2024 Bo Ren - 2.02-160.0.1 - Build pc-modules package on x86_64 (geliwei@openanolis.org) - Add loongarch64 base support (zhangwenlong@loongson.cn)(chenguoqi@loongson.cn) - Fix a bug in bls_make_list, blscfg. (zhonglingh@linux.alibaba.com) @@ -539,6 +545,14 @@ fi - LoongArch64 support fdt and phy-addr BIOS(yangqiming@loongson.cn) - Remove dtb dir with correct argument (Liwei Ge) +* Wed Nov 13 2024 Leo Sandoval - 2.02-160 +- Remove BLS fake config in case of kernel removal +- Resolves: #RHEL-4316 + +* Tue Nov 12 2024 Leo Sandoval - 2.02-159 +- Fix default behavior when GRUB_ENABLE_BLSCFG is not present +- Resolves: #RHEL-4319 + * Thu Sep 19 2024 Leo Sandoval - 2.02-158 - grub-mkconfig.in: turn off executable owner bit - Resolves: #RHEL-58835 diff --git a/redhatsecureboot301.cer b/redhatsecureboot301.cer new file mode 100644 index 0000000000000000000000000000000000000000..4ff8b79e6736e566dbf39603e0887a53345aa4e4 Binary files /dev/null and b/redhatsecureboot301.cer differ diff --git a/redhatsecureboot502.cer b/redhatsecureboot502.cer new file mode 100644 index 0000000000000000000000000000000000000000..be0b5e211ccf8ad7ba74c88841c921cfdbad5a70 Binary files /dev/null and b/redhatsecureboot502.cer differ diff --git a/redhatsecureboot601.cer b/redhatsecureboot601.cer new file mode 100644 index 0000000000000000000000000000000000000000..c92b96b4e0d360b90333361ea61f565f196ea20e Binary files /dev/null and b/redhatsecureboot601.cer differ diff --git a/redhatsecureboot701.cer b/redhatsecureboot701.cer new file mode 100644 index 0000000000000000000000000000000000000000..25e3743e47c3c1f06da0124a1d99e99e4920f6e7 Binary files /dev/null and b/redhatsecureboot701.cer differ diff --git a/redhatsecurebootca3.cer b/redhatsecurebootca3.cer new file mode 100644 index 0000000000000000000000000000000000000000..b2354007b9668258683b99a68fa5bdd3067c31b1 Binary files /dev/null and b/redhatsecurebootca3.cer differ diff --git a/redhatsecurebootca5.cer b/redhatsecurebootca5.cer new file mode 100644 index 0000000000000000000000000000000000000000..dfb0284954861282d1a0ce16c8c5cdc71c27659f Binary files /dev/null and b/redhatsecurebootca5.cer differ diff --git a/sbat.csv.in b/sbat.csv.in index d89d534f9daeb01d1d7e2b907081d6304d133627..b338b5f58cb646e4d1892e941b4ba8c667d8a2c0 100755 --- a/sbat.csv.in +++ b/sbat.csv.in @@ -1,4 +1,3 @@ sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md grub,3,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/ grub.rh,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com -grub.anolis,2,Anolis OS,grub2,@@VERSION_RELEASE@@,mail:ansa-announce@lists.openanolis.cn