A few fixes for ppc64le LPAR Secure Boot support

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
This commit is contained in:
Javier Martinez Canillas 2021-08-30 16:50:42 +02:00
parent db96a0c4de
commit 1f9e8074ae
No known key found for this signature in database
GPG key ID: C751E590D63F3D69
5 changed files with 248 additions and 1 deletions

View file

@ -0,0 +1,123 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Mon, 30 Aug 2021 12:31:18 +0200
Subject: [PATCH] normal/main: Discover the device to read the config from as a
fallback
The GRUB core.img is generated locally, when this is done the grub2-probe
tool figures out the device and partition that needs to be read to parse
the GRUB configuration file.
But in some cases the core.img can't be generated on the host and instead
has to be done at package build time. For example, if needs to get signed
with a key that's only available on the package building infrastructure.
If that's the case, the prefix variable won't have a device and partition
but only a directory path. So there's no way for GRUB to know from which
device has to read the configuration file.
To allow GRUB to continue working on that scenario, fallback to iterating
over all the available devices, if reading the config failed when using
the prefix and fw_path variables.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
---
grub-core/normal/main.c | 58 +++++++++++++++++++++++++++++++++++++++++++------
1 file changed, 51 insertions(+), 7 deletions(-)
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
index 155bf366da2..f9ccca502ee 100644
--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
@@ -339,18 +339,13 @@ grub_enter_normal_mode (const char *config)
}
static grub_err_t
-grub_try_normal (const char *variable)
+grub_try_normal_prefix (const char *prefix)
{
char *config;
- const char *prefix;
grub_err_t err = GRUB_ERR_FILE_NOT_FOUND;
const char *net_search_cfg;
int disable_net_search = 0;
- prefix = grub_env_get (variable);
- if (!prefix)
- return GRUB_ERR_FILE_NOT_FOUND;
-
net_search_cfg = grub_env_get ("feature_net_search_cfg");
if (net_search_cfg && net_search_cfg[0] == 'n')
disable_net_search = 1;
@@ -364,7 +359,7 @@ grub_try_normal (const char *variable)
config = grub_malloc (config_len);
if (! config)
- return GRUB_ERR_FILE_NOT_FOUND;
+ return err;
grub_snprintf (config, config_len, "%s/grub.cfg", prefix);
err = grub_net_search_config_file (config);
@@ -393,6 +388,53 @@ grub_try_normal (const char *variable)
return err;
}
+static int
+grub_try_normal_dev (const char *name, void *data)
+{
+ grub_err_t err;
+ const char *prefix = grub_xasprintf ("(%s)%s", name, (char *)data);
+
+ if (!prefix)
+ return 0;
+
+ err = grub_try_normal_prefix (prefix);
+ if (err == GRUB_ERR_NONE)
+ return 1;
+
+ return 0;
+}
+
+static grub_err_t
+grub_try_normal_discover (void)
+{
+ char *prefix = grub_env_get ("prefix");
+ grub_err_t err = GRUB_ERR_FILE_NOT_FOUND;
+
+ if (!prefix)
+ return err;
+
+ if (grub_device_iterate (grub_try_normal_dev, (void *)prefix))
+ return GRUB_ERR_NONE;
+
+ return err;
+}
+
+static grub_err_t
+grub_try_normal (const char *variable)
+{
+ grub_err_t err = GRUB_ERR_FILE_NOT_FOUND;
+ const char *prefix;
+
+ if (!variable)
+ return err;
+
+ prefix = grub_env_get (variable);
+ if (!prefix)
+ return err;
+
+ return grub_try_normal_prefix (prefix);
+}
+
/* Enter normal mode from rescue mode. */
static grub_err_t
grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
@@ -407,6 +449,8 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
err = grub_try_normal ("fw_path");
if (err == GRUB_ERR_FILE_NOT_FOUND)
err = grub_try_normal ("prefix");
+ if (err == GRUB_ERR_FILE_NOT_FOUND)
+ err = grub_try_normal_discover ();
if (err == GRUB_ERR_FILE_NOT_FOUND)
grub_enter_normal_mode (0);
}

View file

@ -0,0 +1,75 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Mon, 19 Jul 2021 14:35:55 +1000
Subject: [PATCH] powerpc: adjust setting of prefix for signed binary case
On RHEL-signed powerpc grub, we sign a grub with -p /grub2 and expect
that there's a boot partition.
Unfortunately grub_set_prefix_and_root tries to convert this to
($fwdevice)/grub2. This ends up being (ieee1275/disk)/grub2 and that
falls apart pretty quickly - there's no file-system on ieee1275/disk,
and it makes the search routine try things like
(ieee1275/disk,msdos2)(ieee1275/disk)/grub2 which also doesn't work.
Detect if we would be about to create (ieee1275/disk)/path and don't:
preserve a prefix of /path instead and hope the search later finds us.
Related: rhbz#1899864
Signed-off-by: Daniel Axtens <dja@axtens.net>
---
grub-core/kern/main.c | 38 +++++++++++++++++++++++++++++++++-----
1 file changed, 33 insertions(+), 5 deletions(-)
diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
index 0285e95a2bb..e809a5edec1 100644
--- a/grub-core/kern/main.c
+++ b/grub-core/kern/main.c
@@ -216,13 +216,41 @@ grub_set_prefix_and_root (void)
if (device)
{
char *prefix_set;
-
- prefix_set = grub_xasprintf ("(%s)%s", device, path ? : "");
- if (prefix_set)
+
+#ifdef __powerpc__
+ /* We have to be careful here on powerpc-ieee1275 + signed grub. We
+ will have signed something with a prefix that doesn't have a device
+ because we cannot know in advance what partition we're on.
+
+ We will have had !device earlier, so we will have set device=fwdevice
+ However, we want to make sure we do not end up setting prefix to be
+ ($fwdevice)/path, because we will then end up trying to boot or search
+ based on a prefix of (ieee1275/disk)/path, which will not work because
+ it's missing a partition.
+
+ Also:
+ - You can end up with a device with an FS directly on it, without
+ a partition, e.g. ieee1275/cdrom.
+
+ - powerpc-ieee1275 + grub-install sets e.g. prefix=(,gpt2)/path,
+ which will have now been extended to device=$fwdisk,partition
+ and path=/path
+
+ So we only need to act if device = ieee1275/disk exactly.
+ */
+ if (grub_strncmp (device, "ieee1275/disk", 14) == 0)
+ grub_env_set ("prefix", path);
+ else
+#endif
{
- grub_env_set ("prefix", prefix_set);
- grub_free (prefix_set);
+ prefix_set = grub_xasprintf ("(%s)%s", device, path ? : "");
+ if (prefix_set)
+ {
+ grub_env_set ("prefix", prefix_set);
+ grub_free (prefix_set);
+ }
}
+
grub_env_set ("root", device);
}

View file

@ -0,0 +1,43 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Mon, 16 Aug 2021 16:01:47 +1000
Subject: [PATCH] powerpc: fix prefix + signed grub special case for PowerVM
Mea culpa: when testing the PowerPC special case for signed grub, I
assumed qemu and PowerVM would behave identically. This was wrong, and
with hindsight a pretty dumb error.
This fixes it. This time, I am actually testing on PowerVM.
Signed-off-by: Daniel Axtens <dja@axtens.net>
---
grub-core/kern/main.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
index e809a5edec1..2d0d2bbd4cf 100644
--- a/grub-core/kern/main.c
+++ b/grub-core/kern/main.c
@@ -236,9 +236,20 @@ grub_set_prefix_and_root (void)
which will have now been extended to device=$fwdisk,partition
and path=/path
- So we only need to act if device = ieee1275/disk exactly.
+ - PowerVM will give us device names like
+ ieee1275//vdevice/v-scsi@3000006c/disk@8100000000000000
+ and we don't want to try to encode some sort of truth table about
+ what sorts of paths represent disks with partition tables and those
+ without partition tables.
+
+ So we act unless there is a comma in the device, which would indicate
+ a partition has already been specified.
+
+ (If we only have a path, the code in normal to discover config files
+ will try both without partitions and then with any partitions so we
+ will cover both CDs and HDs.)
*/
- if (grub_strncmp (device, "ieee1275/disk", 14) == 0)
+ if (grub_strchr (device, ',') == NULL)
grub_env_set ("prefix", path);
else
#endif

View file

@ -214,3 +214,6 @@ Patch0213: 0213-Remove-outdated-URL-for-BLS-document.patch
Patch0214: 0214-templates-Check-for-EFI-at-runtime-instead-of-config.patch Patch0214: 0214-templates-Check-for-EFI-at-runtime-instead-of-config.patch
Patch0215: 0215-efi-Print-an-error-if-boot-to-firmware-setup-is-not-.patch Patch0215: 0215-efi-Print-an-error-if-boot-to-firmware-setup-is-not-.patch
Patch0216: 0216-arm64-Fix-EFI-loader-kernel-image-allocation.patch Patch0216: 0216-arm64-Fix-EFI-loader-kernel-image-allocation.patch
Patch0217: 0217-normal-main-Discover-the-device-to-read-the-config-f.patch
Patch0218: 0218-powerpc-adjust-setting-of-prefix-for-signed-binary-c.patch
Patch0219: 0219-powerpc-fix-prefix-signed-grub-special-case-for-Powe.patch

View file

@ -14,7 +14,7 @@
Name: grub2 Name: grub2
Epoch: 1 Epoch: 1
Version: 2.06 Version: 2.06
Release: 4%{?dist} Release: 5%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more Summary: Bootloader with support for Linux, Multiboot and more
License: GPLv3+ License: GPLv3+
URL: http://www.gnu.org/software/grub/ URL: http://www.gnu.org/software/grub/
@ -523,6 +523,9 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
%endif %endif
%changelog %changelog
* Mon Aug 30 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.06-5
- A few fixes for ppc64le LPAR Secure Boot support
* Tue Aug 24 2021 Peter Jones <pjones@redhat.com> - 2.06-4 * Tue Aug 24 2021 Peter Jones <pjones@redhat.com> - 2.06-4
- Fix aarch64 kernel alignment. - Fix aarch64 kernel alignment.
- Fix annobin regexp on ppc64le - Fix annobin regexp on ppc64le