From 1f9e8074aef0db4f291963776db4f31750dfd7b2 Mon Sep 17 00:00:00 2001 From: Javier Martinez Canillas Date: Mon, 30 Aug 2021 16:50:42 +0200 Subject: [PATCH] A few fixes for ppc64le LPAR Secure Boot support Signed-off-by: Javier Martinez Canillas --- ...over-the-device-to-read-the-config-f.patch | 123 ++++++++++++++++++ ...etting-of-prefix-for-signed-binary-c.patch | 75 +++++++++++ ...ix-signed-grub-special-case-for-Powe.patch | 43 ++++++ grub.patches | 3 + grub2.spec | 5 +- 5 files changed, 248 insertions(+), 1 deletion(-) create mode 100644 0217-normal-main-Discover-the-device-to-read-the-config-f.patch create mode 100644 0218-powerpc-adjust-setting-of-prefix-for-signed-binary-c.patch create mode 100644 0219-powerpc-fix-prefix-signed-grub-special-case-for-Powe.patch diff --git a/0217-normal-main-Discover-the-device-to-read-the-config-f.patch b/0217-normal-main-Discover-the-device-to-read-the-config-f.patch new file mode 100644 index 0000000..cf12fd6 --- /dev/null +++ b/0217-normal-main-Discover-the-device-to-read-the-config-f.patch @@ -0,0 +1,123 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Mon, 30 Aug 2021 12:31:18 +0200 +Subject: [PATCH] normal/main: Discover the device to read the config from as a + fallback + +The GRUB core.img is generated locally, when this is done the grub2-probe +tool figures out the device and partition that needs to be read to parse +the GRUB configuration file. + +But in some cases the core.img can't be generated on the host and instead +has to be done at package build time. For example, if needs to get signed +with a key that's only available on the package building infrastructure. + +If that's the case, the prefix variable won't have a device and partition +but only a directory path. So there's no way for GRUB to know from which +device has to read the configuration file. + +To allow GRUB to continue working on that scenario, fallback to iterating +over all the available devices, if reading the config failed when using +the prefix and fw_path variables. + +Signed-off-by: Javier Martinez Canillas +--- + grub-core/normal/main.c | 58 +++++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 51 insertions(+), 7 deletions(-) + +diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c +index 155bf366da2..f9ccca502ee 100644 +--- a/grub-core/normal/main.c ++++ b/grub-core/normal/main.c +@@ -339,18 +339,13 @@ grub_enter_normal_mode (const char *config) + } + + static grub_err_t +-grub_try_normal (const char *variable) ++grub_try_normal_prefix (const char *prefix) + { + char *config; +- const char *prefix; + grub_err_t err = GRUB_ERR_FILE_NOT_FOUND; + const char *net_search_cfg; + int disable_net_search = 0; + +- prefix = grub_env_get (variable); +- if (!prefix) +- return GRUB_ERR_FILE_NOT_FOUND; +- + net_search_cfg = grub_env_get ("feature_net_search_cfg"); + if (net_search_cfg && net_search_cfg[0] == 'n') + disable_net_search = 1; +@@ -364,7 +359,7 @@ grub_try_normal (const char *variable) + config = grub_malloc (config_len); + + if (! config) +- return GRUB_ERR_FILE_NOT_FOUND; ++ return err; + + grub_snprintf (config, config_len, "%s/grub.cfg", prefix); + err = grub_net_search_config_file (config); +@@ -393,6 +388,53 @@ grub_try_normal (const char *variable) + return err; + } + ++static int ++grub_try_normal_dev (const char *name, void *data) ++{ ++ grub_err_t err; ++ const char *prefix = grub_xasprintf ("(%s)%s", name, (char *)data); ++ ++ if (!prefix) ++ return 0; ++ ++ err = grub_try_normal_prefix (prefix); ++ if (err == GRUB_ERR_NONE) ++ return 1; ++ ++ return 0; ++} ++ ++static grub_err_t ++grub_try_normal_discover (void) ++{ ++ char *prefix = grub_env_get ("prefix"); ++ grub_err_t err = GRUB_ERR_FILE_NOT_FOUND; ++ ++ if (!prefix) ++ return err; ++ ++ if (grub_device_iterate (grub_try_normal_dev, (void *)prefix)) ++ return GRUB_ERR_NONE; ++ ++ return err; ++} ++ ++static grub_err_t ++grub_try_normal (const char *variable) ++{ ++ grub_err_t err = GRUB_ERR_FILE_NOT_FOUND; ++ const char *prefix; ++ ++ if (!variable) ++ return err; ++ ++ prefix = grub_env_get (variable); ++ if (!prefix) ++ return err; ++ ++ return grub_try_normal_prefix (prefix); ++} ++ + /* Enter normal mode from rescue mode. */ + static grub_err_t + grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)), +@@ -407,6 +449,8 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)), + err = grub_try_normal ("fw_path"); + if (err == GRUB_ERR_FILE_NOT_FOUND) + err = grub_try_normal ("prefix"); ++ if (err == GRUB_ERR_FILE_NOT_FOUND) ++ err = grub_try_normal_discover (); + if (err == GRUB_ERR_FILE_NOT_FOUND) + grub_enter_normal_mode (0); + } diff --git a/0218-powerpc-adjust-setting-of-prefix-for-signed-binary-c.patch b/0218-powerpc-adjust-setting-of-prefix-for-signed-binary-c.patch new file mode 100644 index 0000000..70b021d --- /dev/null +++ b/0218-powerpc-adjust-setting-of-prefix-for-signed-binary-c.patch @@ -0,0 +1,75 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Mon, 19 Jul 2021 14:35:55 +1000 +Subject: [PATCH] powerpc: adjust setting of prefix for signed binary case + +On RHEL-signed powerpc grub, we sign a grub with -p /grub2 and expect +that there's a boot partition. + +Unfortunately grub_set_prefix_and_root tries to convert this to +($fwdevice)/grub2. This ends up being (ieee1275/disk)/grub2 and that +falls apart pretty quickly - there's no file-system on ieee1275/disk, +and it makes the search routine try things like +(ieee1275/disk,msdos2)(ieee1275/disk)/grub2 which also doesn't work. + +Detect if we would be about to create (ieee1275/disk)/path and don't: +preserve a prefix of /path instead and hope the search later finds us. + +Related: rhbz#1899864 + +Signed-off-by: Daniel Axtens +--- + grub-core/kern/main.c | 38 +++++++++++++++++++++++++++++++++----- + 1 file changed, 33 insertions(+), 5 deletions(-) + +diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c +index 0285e95a2bb..e809a5edec1 100644 +--- a/grub-core/kern/main.c ++++ b/grub-core/kern/main.c +@@ -216,13 +216,41 @@ grub_set_prefix_and_root (void) + if (device) + { + char *prefix_set; +- +- prefix_set = grub_xasprintf ("(%s)%s", device, path ? : ""); +- if (prefix_set) ++ ++#ifdef __powerpc__ ++ /* We have to be careful here on powerpc-ieee1275 + signed grub. We ++ will have signed something with a prefix that doesn't have a device ++ because we cannot know in advance what partition we're on. ++ ++ We will have had !device earlier, so we will have set device=fwdevice ++ However, we want to make sure we do not end up setting prefix to be ++ ($fwdevice)/path, because we will then end up trying to boot or search ++ based on a prefix of (ieee1275/disk)/path, which will not work because ++ it's missing a partition. ++ ++ Also: ++ - You can end up with a device with an FS directly on it, without ++ a partition, e.g. ieee1275/cdrom. ++ ++ - powerpc-ieee1275 + grub-install sets e.g. prefix=(,gpt2)/path, ++ which will have now been extended to device=$fwdisk,partition ++ and path=/path ++ ++ So we only need to act if device = ieee1275/disk exactly. ++ */ ++ if (grub_strncmp (device, "ieee1275/disk", 14) == 0) ++ grub_env_set ("prefix", path); ++ else ++#endif + { +- grub_env_set ("prefix", prefix_set); +- grub_free (prefix_set); ++ prefix_set = grub_xasprintf ("(%s)%s", device, path ? : ""); ++ if (prefix_set) ++ { ++ grub_env_set ("prefix", prefix_set); ++ grub_free (prefix_set); ++ } + } ++ + grub_env_set ("root", device); + } + diff --git a/0219-powerpc-fix-prefix-signed-grub-special-case-for-Powe.patch b/0219-powerpc-fix-prefix-signed-grub-special-case-for-Powe.patch new file mode 100644 index 0000000..1cb21ef --- /dev/null +++ b/0219-powerpc-fix-prefix-signed-grub-special-case-for-Powe.patch @@ -0,0 +1,43 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Mon, 16 Aug 2021 16:01:47 +1000 +Subject: [PATCH] powerpc: fix prefix + signed grub special case for PowerVM + +Mea culpa: when testing the PowerPC special case for signed grub, I +assumed qemu and PowerVM would behave identically. This was wrong, and +with hindsight a pretty dumb error. + +This fixes it. This time, I am actually testing on PowerVM. + +Signed-off-by: Daniel Axtens +--- + grub-core/kern/main.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c +index e809a5edec1..2d0d2bbd4cf 100644 +--- a/grub-core/kern/main.c ++++ b/grub-core/kern/main.c +@@ -236,9 +236,20 @@ grub_set_prefix_and_root (void) + which will have now been extended to device=$fwdisk,partition + and path=/path + +- So we only need to act if device = ieee1275/disk exactly. ++ - PowerVM will give us device names like ++ ieee1275//vdevice/v-scsi@3000006c/disk@8100000000000000 ++ and we don't want to try to encode some sort of truth table about ++ what sorts of paths represent disks with partition tables and those ++ without partition tables. ++ ++ So we act unless there is a comma in the device, which would indicate ++ a partition has already been specified. ++ ++ (If we only have a path, the code in normal to discover config files ++ will try both without partitions and then with any partitions so we ++ will cover both CDs and HDs.) + */ +- if (grub_strncmp (device, "ieee1275/disk", 14) == 0) ++ if (grub_strchr (device, ',') == NULL) + grub_env_set ("prefix", path); + else + #endif diff --git a/grub.patches b/grub.patches index 4940f65..5365f4a 100644 --- a/grub.patches +++ b/grub.patches @@ -214,3 +214,6 @@ Patch0213: 0213-Remove-outdated-URL-for-BLS-document.patch Patch0214: 0214-templates-Check-for-EFI-at-runtime-instead-of-config.patch Patch0215: 0215-efi-Print-an-error-if-boot-to-firmware-setup-is-not-.patch Patch0216: 0216-arm64-Fix-EFI-loader-kernel-image-allocation.patch +Patch0217: 0217-normal-main-Discover-the-device-to-read-the-config-f.patch +Patch0218: 0218-powerpc-adjust-setting-of-prefix-for-signed-binary-c.patch +Patch0219: 0219-powerpc-fix-prefix-signed-grub-special-case-for-Powe.patch diff --git a/grub2.spec b/grub2.spec index 6c82b03..d9838d3 100644 --- a/grub2.spec +++ b/grub2.spec @@ -14,7 +14,7 @@ Name: grub2 Epoch: 1 Version: 2.06 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -523,6 +523,9 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg %endif %changelog +* Mon Aug 30 2021 Javier Martinez Canillas - 2.06-5 +- A few fixes for ppc64le LPAR Secure Boot support + * Tue Aug 24 2021 Peter Jones - 2.06-4 - Fix aarch64 kernel alignment. - Fix annobin regexp on ppc64le