From dd5f2023b048216adca6e2439ed0ef0bae62203e Mon Sep 17 00:00:00 2001
From: Nicolas Frayer <nfrayer@redhat.com>
Date: Tue, 6 Aug 2024 12:29:47 +0200
Subject: [PATCH] mkconfig: More hardening to prevent overwriting grub cfg stub

Simplified os detection and remove mountpoint to accommodate
hybrid VMs

Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
---
 ...-mkconfig-Simplify-os_name-detection.patch | 27 +++++++++++++
 ...move-check-for-mount-point-for-grub-.patch | 29 ++++++++++++++
 ...nsure-grub-cfg-stub-is-not-overwritt.patch | 40 -------------------
 grub.patches                                  |  2 +
 grub2.spec                                    |  5 ++-
 5 files changed, 62 insertions(+), 41 deletions(-)
 create mode 100644 0272-grub2-mkconfig-Simplify-os_name-detection.patch
 create mode 100644 0273-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch
 delete mode 100644 0364-grub2-mkconfig-Ensure-grub-cfg-stub-is-not-overwritt.patch

diff --git a/0272-grub2-mkconfig-Simplify-os_name-detection.patch b/0272-grub2-mkconfig-Simplify-os_name-detection.patch
new file mode 100644
index 0000000..bd7ba1b
--- /dev/null
+++ b/0272-grub2-mkconfig-Simplify-os_name-detection.patch
@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Date: Wed, 31 Jul 2024 16:06:10 +0000
+Subject: [PATCH] grub2-mkconfig: Simplify os_name detection
+
+---
+ util/grub-mkconfig.in | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
+index efa36cc45a69..8b7883072e46 100644
+--- a/util/grub-mkconfig.in
++++ b/util/grub-mkconfig.in
+@@ -109,12 +109,7 @@ do
+     esac
+ done
+ 
+-os_name=$(grep '^ID=' /etc/os-release | sed 's/ID=//')
+-if test "$os_name" = '"rhel"'; then
+-  os_name=redhat
+-elif test "$os_name" = '"centos"'; then
+-  os_name=centos
+-fi
++os_name=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/' -e 's/\"//g')
+ if test "x${grub_cfg}" = "x/boot/efi/EFI/$os_name/grub.cfg" &&\
+         mountpoint -q /boot/efi; then
+   gettext_printf "Running \`grub2-mkconfig -o %s' will overwrite the GRUB wrapper.\n" "$grub_cfg" 1>&2
diff --git a/0273-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch b/0273-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch
new file mode 100644
index 0000000..fc3ec41
--- /dev/null
+++ b/0273-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch
@@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nicolas Frayer <nfrayer@redhat.com>
+Date: Thu, 1 Aug 2024 11:13:20 +0200
+Subject: [PATCH] grub/mkconfig: Remove check for mount point for grub cfg stub
+
+Remove mountpoint when checking whether or not the grub cfg stub
+exists and add -s to the test. This should cover scenarios where
+the ESP doesn't have a seperate partition but still uses a grub
+cfg stub
+
+Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
+---
+ util/grub-mkconfig.in | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
+index 8b7883072e46..31a72a39e0cf 100644
+--- a/util/grub-mkconfig.in
++++ b/util/grub-mkconfig.in
+@@ -110,8 +110,7 @@ do
+ done
+ 
+ os_name=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/' -e 's/\"//g')
+-if test "x${grub_cfg}" = "x/boot/efi/EFI/$os_name/grub.cfg" &&\
+-        mountpoint -q /boot/efi; then
++if test -s "${grub_cfg}" && test "x${grub_cfg}" = "x/boot/efi/EFI/$os_name/grub.cfg"; then
+   gettext_printf "Running \`grub2-mkconfig -o %s' will overwrite the GRUB wrapper.\n" "$grub_cfg" 1>&2
+   gettext_printf "Please run \`grub2-mkconfig -o /boot/grub2/grub.cfg' instead to update grub.cfg.\n" 1>&2
+   gettext_printf "GRUB configuration file was not updated.\n" 1>&2
diff --git a/0364-grub2-mkconfig-Ensure-grub-cfg-stub-is-not-overwritt.patch b/0364-grub2-mkconfig-Ensure-grub-cfg-stub-is-not-overwritt.patch
deleted file mode 100644
index 2ac42f6..0000000
--- a/0364-grub2-mkconfig-Ensure-grub-cfg-stub-is-not-overwritt.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nicolas Frayer <nfrayer@redhat.com>
-Date: Tue, 16 Jul 2024 11:11:43 +0200
-Subject: [PATCH] grub2-mkconfig: Ensure grub cfg stub is not overwritten
-
-/boot/efi/EFI/$os_name/grub.cfg contains a grub cfg stub
-that should not be overwritten by grub2-mkconfig.
-Ensure that we prevent this from happening.
-
-Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
-Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
----
- util/grub-mkconfig.in | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
-index fb382b648b87..efa36cc45a69 100644
---- a/util/grub-mkconfig.in
-+++ b/util/grub-mkconfig.in
-@@ -109,6 +109,20 @@ do
-     esac
- done
- 
-+os_name=$(grep '^ID=' /etc/os-release | sed 's/ID=//')
-+if test "$os_name" = '"rhel"'; then
-+  os_name=redhat
-+elif test "$os_name" = '"centos"'; then
-+  os_name=centos
-+fi
-+if test "x${grub_cfg}" = "x/boot/efi/EFI/$os_name/grub.cfg" &&\
-+        mountpoint -q /boot/efi; then
-+  gettext_printf "Running \`grub2-mkconfig -o %s' will overwrite the GRUB wrapper.\n" "$grub_cfg" 1>&2
-+  gettext_printf "Please run \`grub2-mkconfig -o /boot/grub2/grub.cfg' instead to update grub.cfg.\n" 1>&2
-+  gettext_printf "GRUB configuration file was not updated.\n" 1>&2
-+  exit 1
-+fi
-+
- if [ "x$EUID" = "x" ] ; then
-   EUID=`id -u`
- fi
diff --git a/grub.patches b/grub.patches
index c0d6a4e..f4de23f 100644
--- a/grub.patches
+++ b/grub.patches
@@ -269,3 +269,5 @@ Patch0268: 0268-Set-non-executable-stack-sections-on-EFI-assembly-fi.patch
 Patch0269: 0269-grub-mkconfig.in-turn-off-executable-owner-bit.patch
 Patch0270: 0270-kern-ieee1275-init-Add-IEEE-1275-Radix-support-for-K.patch
 Patch0271: 0271-grub2-mkconfig-Ensure-grub-cfg-stub-is-not-overwritt.patch
+Patch0272: 0272-grub2-mkconfig-Simplify-os_name-detection.patch
+Patch0273: 0273-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch
diff --git a/grub2.spec b/grub2.spec
index 6711841..9cbb5d0 100644
--- a/grub2.spec
+++ b/grub2.spec
@@ -17,7 +17,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.12
-Release:	1%{?dist}
+Release:	2%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPL-3.0-or-later
 URL:		http://www.gnu.org/software/grub/
@@ -560,6 +560,9 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 %endif
 
 %changelog
+* Tue Aug 6 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.12-2
+- mkconfig: More hardening to prevent overwriting grub cfg stub
+
 * Mon Aug 5 2024 Leo Sandoval <lsandova@redhat.com> - 2.12-1
 - Rebased to release grub2-2.12