diff --git a/backport-grub-core-loader-arm64-linux.c-do-not-validate-kerne.patch b/backport-grub-core-loader-arm64-linux.c-do-not-validate-kerne.patch new file mode 100644 index 0000000000000000000000000000000000000000..de4f1908e6acfc97f8a9b251f37a161c1c3445d9 --- /dev/null +++ b/backport-grub-core-loader-arm64-linux.c-do-not-validate-kerne.patch @@ -0,0 +1,58 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Dimitri John Ledkov +Date: Fri, 4 Mar 2022 11:29:31 +0100 +Subject: [PATCH] grub-core/loader/arm64/linux.c: do not validate kernel twice + +Call to grub_file_open(, GRUB_FILE_TYPE_LINUX_KERNEL) already passes +the kernel file through shim-lock verifier when secureboot is on. Thus +there is no need to validate the kernel image again. And when doing so +again, duplicate PCR measurement is performed, breaking measurements +compatibility with 2.04+linuxefi. + +This patch must not be ported to older editions of grub code bases +that do not have verifiers framework, or it is not builtin, or +shim-lock-verifier is an optional module. + +Signed-off-by: Dimitri John Ledkov +--- + grub-core/loader/arm64/linux.c | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c +index f18d90bd749..d2af47c2c0a 100644 +--- a/grub-core/loader/arm64/linux.c ++++ b/grub-core/loader/arm64/linux.c +@@ -34,7 +34,6 @@ + #include + #include + #include +-#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -341,7 +340,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + grub_off_t filelen; + grub_uint32_t align; + void *kernel = NULL; +- int rc; + + grub_dl_ref (my_mod); + +@@ -370,17 +368,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + goto fail; + } + +- if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED) +- { +- rc = grub_linuxefi_secure_validate (kernel, filelen); +- if (rc <= 0) +- { +- grub_error (GRUB_ERR_INVALID_COMMAND, +- N_("%s has invalid signature"), argv[0]); +- goto fail; +- } +- } +- + if (grub_arch_efi_linux_check_image (kernel) != GRUB_ERR_NONE) + goto fail; + if (parse_pe_header (kernel, &kernel_size, &handover_offset, &align) != GRUB_ERR_NONE) diff --git a/backport-grub-core-loader-efi-chainloader.c-do-not-validate-c.patch b/backport-grub-core-loader-efi-chainloader.c-do-not-validate-c.patch new file mode 100644 index 0000000000000000000000000000000000000000..498a6d75e4e2de8a72833ba12c1b96404cefc022 --- /dev/null +++ b/backport-grub-core-loader-efi-chainloader.c-do-not-validate-c.patch @@ -0,0 +1,80 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Dimitri John Ledkov +Date: Fri, 4 Mar 2022 09:31:43 +0100 +Subject: [PATCH] grub-core/loader/efi/chainloader.c: do not validate + chainloader twice + +On secureboot systems, with shimlock verifier, call to +grub_file_open(, GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE) will already +pass the chainloader target through shim-lock protocol verify +call. And create a TPM measurement. If verification fails, +grub_cmd_chainloader will fail at file open time. + +This makes previous code paths for negative, and zero return codes +from grub_linuxefi_secure_validate unreachable under secureboot. But +also breaking measurements compatibility with 2.04+linuxefi codebases, +as the chainloader file is passed through shim_lock->verify() twice +(via verifier & direct call to grub_linuxefi_secure_validate) +extending the PCRs twice. + +This reduces grub_loader options to perform +grub_secureboot_chainloader when secureboot is on, and otherwise +attempt grub_chainloader_boot. + +It means that booting with secureboot off, yet still with shim (which +always verifies things successfully), will stop choosing +grub_secureboot_chainloader, and opting for a more regular +loadimage/startimage codepath. If we want to use the +grub_secureboot_chainloader codepath in such scenarios we should adapt +the code to simply check for shim_lock protocol presence / +shim_lock->context() success?! But I am not sure if that is necessary. + +This patch must not be ported to older editions of grub code bases +that do not have verifiers framework, or it is not builtin, or +shim-lock-verifier is an optional module. + +Signed-off-by: Dimitri John Ledkov +--- + grub-core/loader/efi/chainloader.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c +index 3af6b122926..644cd2e56fe 100644 +--- a/grub-core/loader/efi/chainloader.c ++++ b/grub-core/loader/efi/chainloader.c +@@ -906,7 +906,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), + grub_efi_device_path_t *dp = 0; + char *filename; + void *boot_image = 0; +- int rc; + + if (argc == 0) + return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected")); +@@ -1082,9 +1081,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), + orig_dev = 0; + } + +- rc = grub_linuxefi_secure_validate((void *)(unsigned long)address, fsize); +- grub_dprintf ("chain", "linuxefi_secure_validate: %d\n", rc); +- if (rc > 0) ++ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED) + { + grub_file_close (file); + grub_device_close (dev); +@@ -1092,7 +1089,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), + grub_secureboot_chainloader_unload, 0); + return 0; + } +- else if (rc == 0) ++ else + { + grub_load_and_start_image(boot_image); + grub_file_close (file); +@@ -1101,7 +1098,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), + + return 0; + } +- // -1 fall-through to fail + + fail: + if (orig_dev) diff --git a/backport-grub-core-loader-efi-linux.c-drop-now-unused-grub_li.patch b/backport-grub-core-loader-efi-linux.c-drop-now-unused-grub_li.patch new file mode 100644 index 0000000000000000000000000000000000000000..d23f46573dcf6110dd015bed19ef99179050e7d9 --- /dev/null +++ b/backport-grub-core-loader-efi-linux.c-drop-now-unused-grub_li.patch @@ -0,0 +1,83 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Dimitri John Ledkov +Date: Fri, 4 Mar 2022 11:36:09 +0100 +Subject: [PATCH] grub-core/loader/efi/linux.c: drop now unused + grub_linuxefi_secure_validate + +Drop the now unused grub_linuxefi_secure_validate() as all prior users +of this API now rely on the shim-lock-verifier codepath instead. + +This patch must not be ported to older editions of grub code bases +that do not have verifiers framework, or it is not builtin, or +shim-lock-verifier is an optional module. + +Signed-off-by: Dimitri John Ledkov +--- + grub-core/loader/efi/linux.c | 40 ---------------------------------------- + include/grub/efi/linux.h | 2 -- + 2 files changed, 42 deletions(-) + +diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c +index 9260731c107..9265cf4200a 100644 +--- a/grub-core/loader/efi/linux.c ++++ b/grub-core/loader/efi/linux.c +@@ -24,46 +24,6 @@ + #include + #include + +-#define SHIM_LOCK_GUID \ +- { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} } +- +-struct grub_efi_shim_lock +-{ +- grub_efi_status_t (*verify) (void *buffer, grub_uint32_t size); +-}; +-typedef struct grub_efi_shim_lock grub_efi_shim_lock_t; +- +-// Returns 1 on success, -1 on error, 0 when not available +-int +-grub_linuxefi_secure_validate (void *data, grub_uint32_t size) +-{ +- grub_efi_guid_t guid = SHIM_LOCK_GUID; +- grub_efi_shim_lock_t *shim_lock; +- grub_efi_status_t status; +- +- shim_lock = grub_efi_locate_protocol(&guid, NULL); +- grub_dprintf ("secureboot", "shim_lock: %p\n", shim_lock); +- if (!shim_lock) +- { +- grub_dprintf ("secureboot", "shim not available\n"); +- return 0; +- } +- +- grub_dprintf ("secureboot", "Asking shim to verify kernel signature\n"); +- status = shim_lock->verify (data, size); +- grub_dprintf ("secureboot", "shim_lock->verify(): %ld\n", (long int)status); +- if (status == GRUB_EFI_SUCCESS) +- { +- grub_dprintf ("secureboot", "Kernel signature verification passed\n"); +- return 1; +- } +- +- grub_dprintf ("secureboot", "Kernel signature verification failed (0x%lx)\n", +- (unsigned long) status); +- +- return -1; +-} +- + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wcast-align" + +diff --git a/include/grub/efi/linux.h b/include/grub/efi/linux.h +index 0033d9305a9..887b02fd9f3 100644 +--- a/include/grub/efi/linux.h ++++ b/include/grub/efi/linux.h +@@ -22,8 +22,6 @@ + #include + #include + +-int +-EXPORT_FUNC(grub_linuxefi_secure_validate) (void *data, grub_uint32_t size); + grub_err_t + EXPORT_FUNC(grub_efi_linux_boot) (void *kernel_address, grub_off_t offset, + void *kernel_param); diff --git a/backport-grub-core-loader-i386-efi-linux.c-do-not-validate-ke.patch b/backport-grub-core-loader-i386-efi-linux.c-do-not-validate-ke.patch new file mode 100644 index 0000000000000000000000000000000000000000..a0be66471932a21d499d6930ef1d8c0a25736278 --- /dev/null +++ b/backport-grub-core-loader-i386-efi-linux.c-do-not-validate-ke.patch @@ -0,0 +1,73 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Dimitri John Ledkov +Date: Thu, 3 Mar 2022 13:10:56 +0100 +Subject: [PATCH] grub-core/loader/i386/efi/linux.c: do not validate kernels + twice + +On codebases that have shim-lock-verifier built into the grub core +(like 2.06 upstream), shim-lock-verifier is in enforcing mode when +booted with secureboot. It means that grub_cmd_linux() command +attempts to perform shim validate upon opening linux kernel image, +including kernel measurement. And the verifier correctly returns file +open error when shim validate protocol is not present or shim fails to +validate the kernel. + +This makes the call to grub_linuxefi_secure_validate() redundant, but +also harmful. As validating the kernel image twice, extends the PCRs +with the same measurement twice. Which breaks existing sealing +policies when upgrading from grub2.04+rhboot+sb+linuxefi to +grub2.06+rhboot+sb+linuxefi builds. It is also incorrect to measure +the kernel twice. + +This patch must not be ported to older editions of grub code bases +that do not have verifiers framework, or it is not builtin, or +shim-lock-verifier is an optional module. + +This patch is tested to ensure that unsigned kernels are not possible +to boot in secureboot mode when shim rejects kernel, or shim protocol +is missing, and that the measurements become stable once again. The +above also ensures that CVE-2020-15705 is not reintroduced. + +Signed-off-by: Dimitri John Ledkov +--- + grub-core/loader/i386/efi/linux.c | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c +index 3cf0f9b330b..941df6400b9 100644 +--- a/grub-core/loader/i386/efi/linux.c ++++ b/grub-core/loader/i386/efi/linux.c +@@ -30,7 +30,6 @@ + #include + #include + #include +-#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -278,7 +277,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + grub_ssize_t start, filelen; + void *kernel = NULL; + int setup_header_end_offset; +- int rc; + + grub_dl_ref (my_mod); + +@@ -308,17 +306,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + goto fail; + } + +- if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED) +- { +- rc = grub_linuxefi_secure_validate (kernel, filelen); +- if (rc <= 0) +- { +- grub_error (GRUB_ERR_INVALID_COMMAND, +- N_("%s has invalid signature"), argv[0]); +- goto fail; +- } +- } +- + lh = (struct linux_i386_kernel_header *)kernel; + grub_dprintf ("linux", "original lh is at %p\n", kernel); + diff --git a/0205-fix-setupmode-not-available-in-some-machine.patch b/fix-setupmode-not-available-in-some-machine.patch similarity index 100% rename from 0205-fix-setupmode-not-available-in-some-machine.patch rename to fix-setupmode-not-available-in-some-machine.patch diff --git a/grub.macros b/grub.macros index c9997fc5ee3fa0861e504ee1d9a271f211602cd5..74f71142d17c9e21d7dd784c239a39a72f2a671e 100644 --- a/grub.macros +++ b/grub.macros @@ -19,12 +19,13 @@ -e 's/-O. //g' \\\ -e 's/-g /-g3 /g' \\\ -e 's/-fplugin=annobin //g' \\\ - -e 's,-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 ,,g' \\\ + -e 's,-specs=[[:alnum:]/_-]*annobin[[:alnum:]_-]* ,,g' \\\ -e 's/-fstack-protector[[:alpha:]-]\\+//g' \\\ -e 's/-Wp,-D_FORTIFY_SOURCE=[[:digit:]]\\+//g' \\\ -e 's/--param=ssp-buffer-size=4//g' \\\ -e 's/-mregparm=3/-mregparm=4/g' \\\ -e 's/-fexceptions//g' \\\ + -e 's/-fcf-protection//g' \\\ -e 's/-fasynchronous-unwind-tables//g' \\\ -e 's/^/ -fno-strict-aliasing /' \\\ %{nil} @@ -49,6 +50,7 @@ %global ldflags_sed \\\ sed \\\ + -e 's,-specs=[[:alnum:]/_-]*annobin[[:alnum:]_-]* ,,g' \\\ -e 's/^$//' \\\ %{nil} @@ -116,7 +118,7 @@ %ifarch aarch64 %{arm} %global efi_modules " " %else -%global efi_modules " backtrace chain usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug " +%global efi_modules " backtrace chain tpm usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard " %endif %ifarch aarch64 %{arm} @@ -353,6 +355,7 @@ sh bootstrap \ %{cc_equals} \\\ HOST_CFLAGS="%{3} -I$(pwd)" \\\ HOST_CPPFLAGS="${CPPFLAGS} -I$(pwd)" \\\ + HOST_LDFLAGS="%{efi_host_ldflags}" \\\ TARGET_CFLAGS="%{2} -I$(pwd)" \\\ TARGET_CPPFLAGS="${CPPFLAGS} -I$(pwd)" \\\ TARGET_LDFLAGS="%{efi_target_ldflags}" \\\ @@ -381,12 +384,22 @@ for x in grub-mkimage ; do \\\ done \ %{nil} +%define do_install_protected_file() \ +touch %{1}.conf \ +echo %{1} > %{1}.conf \ +install -d -m 755 ${RPM_BUILD_ROOT}/etc/dnf/protected.d/ \ +install -m 644 %{1}.conf ${RPM_BUILD_ROOT}/etc/dnf/protected.d/ \ +rm -f %{1}.conf \ +%{nil} + %ifarch x86_64 aarch64 %{arm} %define mkimage() \ %{4}./grub-mkimage -O %{1} -o %{2}.orig \\\ - -p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES} \ + -p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES} \\\ + --sbat %{4}./sbat.csv \ %{4}./grub-mkimage -O %{1} -o %{3}.orig \\\ - -p /EFI/BOOT -d grub-core ${GRUB_MODULES} \ + -p /EFI/BOOT -d grub-core ${GRUB_MODULES} \\\ + --sbat %{4}./sbat.csv \ install -m 700 %{2}.orig %{2} \ install -m 700 %{3}.orig %{3} \ %{nil} @@ -402,18 +415,18 @@ install -m 700 %{3}.orig %{3} \ %define do_efi_build_images() \ GRUB_MODULES=" all_video boot blscfg btrfs \\\ cat configfile cryptodisk \\\ - echo efi_netfs efifwsetup efinet ext2 \\\ + echo efi_netfs efifwsetup efinet ext2 f2fs \\\ fat font gcry_rijndael gcry_rsa gcry_serpent \\\ gcry_sha256 gcry_twofish gcry_whirlpool \\\ gfxmenu gfxterm gzio \\\ halt hfsplus http increment iso9660 jpeg \\\ loadenv loopback linux lvm lsefi lsefimmap luks \\\ - mdraid09 mdraid1x minicmd net \\\ + luks2 mdraid09 mdraid1x minicmd net \\\ normal part_apple part_msdos part_gpt \\\ password_pbkdf2 pgp png reboot \\\ regexp search search_fs_uuid search_fs_file \\\ search_label serial sleep syslinuxcfg test tftp \\\ - version video xfs" \ + version video xfs zstd " \ GRUB_MODULES+=%{efi_modules} \ %{expand:%%{mkimage %{1} %{2} %{3} %{4}}} \ %{nil} @@ -441,6 +454,7 @@ cd grub-%{1}-%{tarversion} \ %{cc_equals} \\\ HOST_CFLAGS="%{legacy_host_cflags} -I$(pwd) " \\\ HOST_CPPFLAGS="-I$(pwd)" \\\ + HOST_LDFLAGS="%{legacy_host_ldflags}" \\\ TARGET_CFLAGS="%{legacy_target_cflags} -I$(pwd) " \\\ TARGET_CPPFLAGS="-I$(pwd)" \\\ TARGET_LDFLAGS="%{legacy_target_ldflags}" \\\ @@ -460,6 +474,9 @@ cd .. \ cd grub-emu-%{tarversion} \ %configure \\\ %{cc_equals} \\\ + HOST_CFLAGS="%{legacy_host_cflags}" \\\ + HOST_CPPFLAGS="-I$(pwd)" \\\ + HOST_LDFLAGS="%{legacy_host_ldflags}" \\\ --with-platform=emu \\\ --with-grubdir=%{name} \\\ --program-transform-name=s,grub,%{name}, \\\ @@ -488,6 +505,7 @@ find . '(' -iname gdb_grub \\\ find $RPM_BUILD_ROOT -type f -iname "*.mod*" -exec chmod a-x {} '\;' \ install -m 700 %{2} $RPM_BUILD_ROOT%{efi_esp_dir}/%{2} \ install -m 700 %{3} $RPM_BUILD_ROOT%{efi_esp_dir}/%{3} \ +%{expand:%%do_install_protected_file %{name}-%{alt_package_arch}} \ cd .. \ %{nil} @@ -510,6 +528,7 @@ install -D -m 700 unicode.pf2 \\\ $RPM_BUILD_ROOT%{efi_esp_dir}/fonts/unicode.pf2 \ ${RPM_BUILD_ROOT}/%{_bindir}/%{name}-editenv \\\ ${RPM_BUILD_ROOT}%{efi_esp_dir}/grubenv create \ +%{expand:%%do_install_protected_file %{name}-%{package_arch}} \ cd .. \ %{nil} @@ -532,6 +551,7 @@ if [ %{3} -eq 0 ]; then \ ${RPM_BUILD_ROOT}/%{_bindir}/%{name}-editenv \\\ ${RPM_BUILD_ROOT}/boot/%{name}/grubenv create \ fi \ +%{expand:%%do_install_protected_file %{name}-%{legacy_package_arch}} \ cd .. \ %{nil} @@ -579,6 +599,7 @@ touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg \ %config(noreplace) %{_sysconfdir}/%{name}.cfg \ %ghost %config(noreplace) /boot/%{name}/grub.cfg \ %dir %attr(0700,root,root)/boot/loader/entries \ +%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \ \ %{expand:%if 0%{?with_legacy_modules} \ %{expand:%%files %{1}-modules} \ @@ -602,6 +623,7 @@ touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg \ %dir %attr(0700,root,root)/boot/loader/entries \ %ghost %config(noreplace) %attr(0700,root,root)%{efi_esp_dir}/grub.cfg \ %ghost %config(noreplace) %attr(0700,root,root)%{efi_esp_dir}/grubenv \ +%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \ %{expand:%if 0%{?without_efi_modules} \ %exclude %{_libdir}/grub/%{6} \ %exclude %{_libdir}/grub/%{6}/* \ diff --git a/grub.patches b/grub.patches index d6d06f9ff0bc5fff4be6f12d6e35d7c5fe098cc6..48c28a018fe6c4dfd8efe422ca3a7e952697000c 100644 --- a/grub.patches +++ b/grub.patches @@ -202,5 +202,9 @@ Patch0201: 0201-fs-btrfs-Use-full-btrfs-bootloader-area.patch Patch0202: grub2-set-password-prompts-to-enter-the-current-pass.patch Patch0203: support-TPM2.0.patch Patch0204: use-default-timestamp.patch -Patch0205: 0205-fix-setupmode-not-available-in-some-machine.patch -Patch0206: 0206-remove-08_fallback_counting.in-apply-grubby.patch +Patch0205: fix-setupmode-not-available-in-some-machine.patch +Patch0206: remove-08_fallback_counting.in-apply-grubby.patch +Patch0207: backport-grub-core-loader-i386-efi-linux.c-do-not-validate-ke.patch +Patch0208: backport-grub-core-loader-arm64-linux.c-do-not-validate-kerne.patch +Patch0209: backport-grub-core-loader-efi-chainloader.c-do-not-validate-c.patch +Patch0210: backport-grub-core-loader-efi-linux.c-drop-now-unused-grub_li.patch diff --git a/grub2.spec b/grub2.spec index e61e07bfffa8ed2a01e77543d8b9eb497c7b8475..7b1a4ed2f280b25535631b8f7f0227d1a5dc9c6b 100644 --- a/grub2.spec +++ b/grub2.spec @@ -14,7 +14,7 @@ Name: grub2 Epoch: 1 Version: 2.06 -Release: 3 +Release: 4 Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -30,6 +30,7 @@ Source9: strtoull_test.c Source10: 20-grub.install Source11: bootstrap Source12: bootstrap.conf +Source13: sbat.csv.in %include %{SOURCE1} %include %{SOURCE2} @@ -46,7 +47,7 @@ BuildRequires: pesign >= 0.99-8 BuildRequires: ccache %endif -Obsoletes: grub2 <= %{evr} grub < 1:0.98 +Obsoletes: %{name} <= %{evr} %if 0%{with_legacy_arch} Requires: %{name}-%{legacy_package_arch} = %{evr} @@ -76,7 +77,8 @@ Common package for grub2. %package tools Summary: tools package for grub2 -Requires: grub2-common = %{epoch}:%{version}-%{release} +Obsoletes: %{name}-tools < %{evr} +Requires: %{name}-common = %{epoch}:%{version}-%{release} Requires: gettext os-prober which file Requires(pre): dracut Requires(post): dracut @@ -87,7 +89,7 @@ tools package for grub2. %package tools-minimal Summary: Support tools for GRUB. Requires: gettext %{name}-common = %{epoch}:%{version}-%{release} -Obsoletes: grub2-tools < %{evr} +Obsoletes: %{name}-tools < %{evr} %description tools-minimal Support tools for GRUB. @@ -97,7 +99,7 @@ Summary: Support tools for GRUB. Requires: gettext os-prober which file Requires: %{name}-tools-minimal = %{epoch}:%{version}-%{release} Requires: %{name}-common = %{epoch}:%{version}-%{release} -Obsoletes: grub2-tools < %{evr} +Obsoletes: %{name}-tools < %{evr} %description tools-extra Support tools for GRUB. @@ -148,6 +150,8 @@ This subpackage provides the GRUB user-space emulation modules. mkdir grub-%{grubefiarch}-%{tarversion} grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grubefiarch}-%{tarversion}/.gitignore cp %{SOURCE4} grub-%{grubefiarch}-%{tarversion}/unifont.pcf.gz +sed -e "s,@@VERSION@@,%{version},g" -e "s,@@VERSION_RELEASE@@,%{version}-%{release},g" \ + %{SOURCE13} > grub-%{grubefiarch}-%{tarversion}/sbat.csv git add grub-%{grubefiarch}-%{tarversion} %endif %if 0%{with_alt_efi_arch} @@ -228,6 +232,7 @@ strip kernel.exec strip lnxboot.image popd %endif +%{expand:%%do_install_protected_file %{name}-tools-minimal} %find_lang grub @@ -378,6 +383,7 @@ fi %{_bindir}/%{name}-editenv %{_bindir}/%{name}-mkpasswd-pbkdf2 %{_bindir}/%{name}-mount +%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-tools-minimal.conf %files tools-extra %defattr(-,root,root) @@ -426,6 +432,12 @@ fi %{_datadir}/man/man* %changelog +* Fri Mar 25 2022 zhangqiumiao - 2.06-4 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:enable sbat and don't verify kernels twice + * Thu Mar 24 2022 zhangqiumiao - 2.06-3 - Type:bugfix - CVE:NA diff --git a/0206-remove-08_fallback_counting.in-apply-grubby.patch b/remove-08_fallback_counting.in-apply-grubby.patch similarity index 100% rename from 0206-remove-08_fallback_counting.in-apply-grubby.patch rename to remove-08_fallback_counting.in-apply-grubby.patch diff --git a/sbat.csv.in b/sbat.csv.in new file mode 100644 index 0000000000000000000000000000000000000000..460c6908038c6e8314ad98f31c7149db07b5cf75 --- /dev/null +++ b/sbat.csv.in @@ -0,0 +1,3 @@ +sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md +grub,1,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/ +grub.openeuler,1,The openEuler Project,grub2,@@VERSION_RELEASE@@,https://gitee.com/src-openeuler/grub2