Commit graph

93 commits

Author SHA1 Message Date
Nicolas Frayer
7b857b827a Linker: added --no-warn-rwx-segments linker option
added --no-warn-rwx-segments as build will fail after
ld.bfd default options have been changed.

Please refer:
https://fedoraproject.org/wiki/Changes/Linker_Error_On_Security_Issues

Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2023-11-15 15:30:41 +01:00
Robbie Harwood
ab62564e2f tmp
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2023-03-31 17:47:53 -04:00
Chris Adams
9d4d1e919c Provide a legacy PXE boot core.0
This enables PXE booting with grub2 rather than syslinux.

Signed-off-by: Chris Adams <linux@cmadams.net>
[rharwood: bump spec, fix commit message]
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2023-03-31 15:59:22 -04:00
Robbie Harwood
63b29f783e Override the linker and force nonexecutable stacks
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2023-02-10 21:50:45 +00:00
Robbie Harwood
3ce59ed7e1 ppc64le: update signed media fixes
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2023-01-27 14:04:12 -05:00
Robbie Harwood
217ae25d88 Fix previous commit for non-x64
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2023-01-11 11:00:47 -05:00
Robbie Harwood
b84b21f7a2 Apply more hardening to host binaries
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2023-01-11 15:40:17 +00:00
Robbie Harwood
9e46a970c6 Fix prefix setting with memdisk creation for network boot
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-12-21 22:35:22 +00:00
Robbie Harwood
55921d8655 Attempt to fix eln build
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-12-19 14:36:15 -05:00
Adam Williamson
1af394246e Go back to installing unicode.pf2
lorax has its own code for building EFI images, and it needs the
font file to do that successfully, so let's make sure it's there
for lorax to find. This doesn't revert the embedding change,
it just reverts the part where we don't bother to install the
font to /boot/grub2/fonts any more.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
2022-11-23 09:26:54 -08:00
Robbie Harwood
0ccadff7a2 Bundle unicode.pf2 with images
Resolves: #2143725
Resolves: #2144113
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-11-22 17:56:56 -05:00
Robbie Harwood
06e51d2a65 Forward-port ppc64le image creation (with nerfed signing)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-11-21 15:22:04 -05:00
Jens Petersen
c1f53c8596 grub.macros also needs updating to use gettext-runtime
otherwise eg grub-pc still pulls in gettext in current rawhide

Signed-off-by: Jens Petersen <petersen@redhat.com>
2022-09-09 17:59:58 +08:00
Robbie Harwood
89d7a298b6 Skip rpm mtime verification on likely-vfat filesystems
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-08-15 20:50:19 +00:00
Robbie Harwood
867b41f7d3 Use --with-rpm-version
Resolves: #2118390
Suggested-by: François Rigault <frigo@amadeus.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-08-15 16:21:35 -04:00
Robbie Harwood
f9344de20a Stop using %{name} for things in the spec file
There's no point to this (the packaging isn't generic, confusion between
grub and grub2 in places, it's not fewer characters to type, have to
think about escaping in macros, ...) and it makes searching for things
needlessly difficult.

This finishes the revert of 967c5629ed
("Don't harcode grub2 in the spec file") that was begun in
af038a0bdc ("Revert "Don't harcode grub2
in the spec file"").

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-04-18 17:14:40 -04:00
Robbie Harwood
1d98b5f260 Fix permission change report from rpm verification on grub.cfg
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-04-18 17:50:28 +00:00
Robbie Harwood
6c2cc46451 Enable "read" module
Resolves: #2071644
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-04-13 15:13:22 +00:00
Robbie Harwood
eeff7639b3 Drop i32 build for real this time
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-03-31 21:23:48 +00:00
Robbie Harwood
0bd5331192 Fix efi_modules to include connectefi
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-28 14:02:46 -05:00
Robbie Harwood
fe0248c0ce Fix stripping of annobin -spec
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-25 22:25:36 +00:00
Robbie Harwood
8a74d28ac8 Life is pain, but especially when it's gnulib
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-24 13:25:56 -05:00
Peter Jones
af038a0bdc Revert "Don't harcode grub2 in the spec file"
Two issues:
- line 538 switches the filename from "grub" to "grub2" where it
  shouldn't
- in general, things that aren't referring to the packaging itself
  shouldn't be %{name}; it just makes them less flexible.

This reverts commit 967c5629ed.
2021-10-07 17:38:20 -04:00
Peter Jones
db96a0c4de grub.macros: Remove annobin plugin from linker flags
The annobin GCC plugin is now turned on linking for LTO mode but it causes
build failures on at least powerpc. The plugin is already removed from the
CFLAGS but was added again through LDFLAGS, remove from there as well.

Signed-off-by: Peter Jones <pjones@redhat.com>
2021-08-30 10:33:06 -04:00
Javier Martinez Canillas
967c5629ed
Don't harcode grub2 in the spec file
There's a variable for this, use it consistently.

Suggested-by: Benjamin Herrenschmidt <benh@amazon.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-06-30 09:20:25 +02:00
Javier Martinez Canillas
504ecff2ed
grub.macros: Use consistent file mode for legacy and EFI
Currently the permissions are inconsistent for grub2-pc and grub2-efi:

$ rpm -qlvf --filesbypkg /boot/grub2/grub.cfg
...
grub2-efi-x64             /boot/grub2/grub.cfg
-rwx------    1 root     root
grub2-pc                  /boot/grub2/grub.cfg
-rw-r--r--    1 root     root

Resolves: rhbz#1965794

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-06-29 16:28:36 +02:00
Javier Martinez Canillas
9cf30d96e9
grub.macros: Install font in /boot/grub2 instead of the ESP
GRUB is now using /boot/grub2 as the directory where all the resources are
loaded, but the unicode.pf2 is still installed in the EFI System Partition.

Resolves: rhbz#1739762

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-06-29 16:28:36 +02:00
Austin Conatser
485dd93ff1 Add luks2 to GRUB_MODULES
Enable limited luks2 support for the built images.
Argon2 keys. the default used in cryptsetup for luks2, are not yet supported.
2021-06-17 01:24:42 +00:00
Frederick Grose
6d09d20265 grub.macros: Include f2fs in GRUB_MODULES
Enable GRUB to read F2FS filesystems.
2021-06-11 15:31:38 +00:00
Javier Martinez Canillas
51b7d6220e
Fix a couple of merge mistakes made when rebasing to 2.06~rc1
Resolves: rhbz#1940524

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-03-24 09:39:42 +01:00
Javier Martinez Canillas
46968b6e63
Update to 2.06~rc1 to fix a bunch of CVEs
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-03-15 10:13:33 +01:00
Javier Martinez Canillas
4fe0f66632
Unify GRUB configuration file location across all platforms
The GRUB configuration files layout on EFI platforms isn't consistent with
other non-EFI platforms (e.g: legacy BIOS x86 and Open Firmware ppc64le).

On platforms using EFI, the GRUB config file (grub.cfg) and environment
variables block (grubenv) are stored in the EFI System Partition (ESP),
while for non-EFI platforms these are stored in the boot partition (or
/boot directory if not boot partition is used).

The reason for this is that the path where the GRUB bootloader searches
for its configuration file varies depending on the firmware interface.

For EFI the GRUB binary is located in the ESP and it expects to find its
config file in that location as well. But this creates the mentioned
inconsistency, because the GRUB configuration file has to be stored in
/boot/efi/EFI/fedora/grub.cfg while for non-EFI platforms it has to be
stored in /boot/grub2/grub.cfg.

To allow all platforms to have the GRUB config file in the same location,
only a minimal config file could be stored in the ESP and this will load
the one that is stored in /boot/grub2.

Related: rhbz#1918817

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-02-09 00:44:03 +01:00
Jeff Law
3a8f1e293b
Remove -fcf-protection compiler flag to allow i386 builds
GRUB uses -march=i386 to build the x86 BIOS code but recent changes in the
default %{optflags} enabled the -fcf-protection flag that's not compatible
with pre-i686 CPUs.

This led to a build error in the grub2 package. To avoid this failure and
let the package to build again, remove the -fcf-protection flag for now.

Related: rhbz#1915452

Signed-off-by: Jeff Law <law@redhat.com>
2021-02-08 19:42:10 +01:00
Javier Martinez Canillas
8c2cf1c368
Add DNF protected.d fragments for GRUB packages
Users can unintentionally remove the grub2 packages and break their system
by deleting the bootloader. To prevent this mark them as protected by DNF.

Resolves: rhbz#1874541

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-12-30 22:45:54 +01:00
Javier Martinez Canillas
c321e640dc
Include keylayouts and at_keyboard modules in EFI builds
This is needed to support PC AT keyboards on machines using EFI.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-12-30 20:50:03 +01:00
Javier Martinez Canillas
ec73df1b6e
Fix tps-rpmtest failing due /boot/grub2/grubenv attributes mismatch
The /boot/grub2/grubenv file is not installed by the grub2 packages but
is either a symbolic link created on %install or a regular file created
by Anaconda during installation.

This is causing the tps-rpmtest to fail in some architectures since the
file attributes don't match what's expected by the package. Because is
a special file, make verification  to ignore the size, mode, checksum
and mtime attributes.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-12-30 20:50:03 +01:00
Peter Jones
47cf63735c "Minor" bug fixes
Resolves: CVE-2020-10713
Resolves: CVE-2020-14308
Resolves: CVE-2020-14309
Resolves: CVE-2020-14310
Resolves: CVE-2020-14311
Resolves: CVE-2020-15705
Resolves: CVE-2020-15706
Resolves: CVE-2020-15707

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-08-10 22:02:39 -04:00
Javier Martinez Canillas
0993459d92
Install GRUB as \EFI\BOOT\BOOTARM.EFI in armv7hl
The Default Boot Behavior for EFI if no BootOrder and Boot#### variables
are found is to look for an ESP and start \EFI\BOOT\BOOT{$arch}.efi.

This is usually fallback.efi installed by the shim package, but since shim
isn't used on armv7, there's no \EFI\BOOT\BOOTARM.EFI installed in the ESP.

So install GRUB as \EFI\BOOT\BOOTARM.EFI for armv7 so there is a default
EFI binary to be started.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-06-07 10:50:19 +02:00
Javier Martinez Canillas
68246dd736
Only enable the tpm module for EFI platforms
The module is only built for EFI, so don't enable it for other platforms.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-05-18 13:26:28 +02:00
Javier Martinez Canillas
4cf8c08cf7
Enable tpm module and make system to boot even if TPM measurements fail
Since GRUB 2.04 there is support for TPM measurements in a tpm module that
uses the verifiers framework. So this is used now instead of the previous
downstream patches that we were carrying.

But we forgot to enable this module when rebasing to 2.04 which leads to
GRUB no longer measuring the kernel, initrd and command line parameters.

One side effect of using the verifiers framework is that if measurements
fail, GRUB won't be able to open the files since the errors from the tpm
module are propagated. This means that a firmware with a buggy tpm support
will prevent the machine to boot, which was not the case with the previous
downstream patches. Don't propagate the measurement errors to prevent this.

Resolves: rhbz#1836433

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-05-18 10:19:45 +02:00
David Abdurachmanov
b888fb3a32
Add RISC-V (riscv64) support to grub.macros
Signed-off-by: David Abdurachmanov <david.abdurachmanov@sifive.com>
2020-01-16 15:35:56 +01:00
Peter Jones
190e583e94 Add zstd to the EFI module list.
cmurf and javierm noticed[0] that we don't have zstd enabled, and that could
cause issues in some cases for /boot on btrfs subvolumes.  This adds it to our
module list.

[0] https://github.com/rhinstaller/anaconda/pull/2255#discussion_r359123085

Related: rhbz#1418336

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-01-06 10:30:23 -05:00
Peter Jones
0cb30b7d2b Renumber sources
This gets rid of the vestigial remnants of the now-obsolete
release-to-master.patch , and moves gnulib to be earlier in our source list.

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-01-06 10:28:40 -05:00
Peter Robinson
af4ccfff6b drop tools-extra from grub2-pc dependencies 2019-12-12 02:04:27 +00:00
Peter Robinson
8733281382
various grub2 cleanups
- drop deprecated groups from the macros file, already gone from main spec.
- don't ship arch specific bits in tools-extra that are already special cased in tools
- move grub2-glue-efi to tools-efi, it's Mac specific and there's othe Mac efi tools there
- drop tools-extra dep for efi binaries, all in tools-efi and anaconda deals with that
- put grub2-install man page in the right package with the util
- other minor cleanups
2019-12-05 17:01:50 +01:00
Javier Martinez Canillas
e1531466e1
Update to grub 2.04
This change updates grub to the 2.04 release. The new release changed how
grub is built, so the bootstrap and bootstrap.conf files have to be added
to the dist-git. Also, the gitignore file changed so it has to be updated.

Since the patches have been forward ported to 2.04, there's no need for a
logic to maintain a patch with the delta between the release and the grub
master branch. So the release-to-master.patch is dropped and no longer is
updated by the do-rebase script.

Also since gnulib isn't part of the grub repository anymore and cloned by
the boostrap tool, a gnulib tarball is included as other source file and
copied before calling the bootstrap tool. That way grub can be built even
in builders that only have access to the sources lookaside cache.

Resolves: rhbz#1727279

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-08-15 08:04:53 +02:00
Javier Martinez Canillas
c432d1fe96
Include regexp module in EFI builds
So the regexp command can be used in systems with Secure Boot enabled.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-08-07 22:15:12 +02:00
Benjamin Doron
300c372004
Includes security modules in Grub2 EFI builds
Satisfies https://fedoraproject.org/wiki/Changes/Include_security_modules_in_efi_Grub2

Resolves: rhbz#1722938
2019-07-15 12:06:36 +02:00
Sergio Durigan Junior
f6da347edf
Use '-g' instead of '-g3' when compiling grub2.
The rpm-build's "debugedit" program will silently corrupt .debug_macro
strings when a binary is compiled with -g3.  Later in the build phase,
gdb-add-index is invoked to extract the DWARF index from the binary,
and GDB will segfault because dwarf2read.c:parse_definition_macro's
'body' variable is NULL.

Resolves: rhbz#1708780
2019-06-18 12:05:36 +02:00
Peter Jones
7388f24e3e Fix HOST_LDFLAGS to include the hardening flags.
rpmdiff noticed the following:

Detecting usr/sbin/grub2-ofpathname with not-hardened warnings '
Hardened: grub2-ofpathname: FAIL: Gaps were detected in the annobin coverage.  Run with -v to list.
Hardened: grub2-ofpathname: FAIL: Not linked with -Wl,-z,now.
Hardened: grub2-ofpathname: MAYB: The PIC/PIE setting was not recorded.
Hardened: grub2-ofpathname: FAIL: Not linked as a position independent executable (ie need to add '-pie' to link command line).
' on ppc64le

This is because while we made the CFLAGS get some new options, LDFLAGS never
got the same treatement, and we disabled %{_hardened_build} to avoid getting
its options in the TARGET_{C,LD}FLAGS variables.

This patch duplicates the infrastructure for {HOST,TARGET}_CFLAGS into
{HOST,TARGET}_LDFLAGS, and adds the %{_hardening_ldflags} and
%{_hardening_cflags} to both HOST_{C,LD}FLAGS.

Additionally, it fixes the CPPFLAGS definitions, since rpm doesn't define any
CPPFLAGS at all, and makes the -I$(pwd) be there exclusively, not on CFLAGS as
well, since they're always used in concert.

Signed-off-by: Peter Jones <pjones@redhat.com>
2019-05-23 13:51:07 -04:00