Commit graph

817 commits

Author SHA1 Message Date
Nicolas Frayer
7b8d2f484c aarch64/macros: Build gnulib with -mbranch-protection=standard
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-10-03 16:41:25 +02:00
Leo Sandoval
8a5c9bc70f load EFI commands inside test expressions
Resolves: #2305291
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2024-10-03 16:41:25 +02:00
Leo Sandoval
e381d787f1 Fix netbooting regressions introduced at 2.12-1
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2024-10-03 16:41:25 +02:00
Peter Robinson
7be9d887d0 Build using fuse3
Signed-off-by: Peter Robinson <pbrobinson@fedoraproject.org>
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-10-03 16:40:31 +02:00
Leo Sandoval
56577a7d89 Remove 'efi: Use shim's loader protocol for EFI image verification'
Although this patch is correct and at some point it will be
re-introduced, currently shim does not support the loader protocol so
drop it in the meanwhile.

Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2024-10-03 16:03:31 +02:00
Nicolas Frayer
68641d26b0 mkconfig: More hardening to prevent overwriting grub cfg stub
Simplified os detection and remove mountpoint to accommodate
hybrid VMs

Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-10-03 16:03:13 +02:00
Leo Sandoval
9ba4d688c7 Rebased to release grub2-2.12 for fedora-41
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2024-10-03 16:02:11 +02:00
Leo Sandoval
c6f8651688 grub2.spec: Conditionally set grub config stub to 0600 mode
When upgrading from <=2.06-126 to newer versions, the grub config stub
may have different mode than 0600, so set the latter if this is the case.

Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2024-10-03 15:56:04 +02:00
Leo Sandoval
4c1cce66b8 grub.cfg: Fix rpm grub.cfg verification issues
Fix the rpm verificaton issues (see below) introduced in 2.06.123 [1].
On the other hand, 2.06.125 [2] introduced a change on grub2-mkconfig where
it prevents overwritting {EFI_HOME}/grub.cfg with side effects on the
%posttrans spec script, where it tries to recreate it in case this
file does not exist but due to [2] the {EFI}/grub.cfg file is never
created. Fix the %posttrans code with the logic but applied to
{GRUB_HOME}/grub.cfg.

Issue detected on RHEL CI but also reproduced on fedora since
2.06.123, where this change fixes it.

    $ rpm -Vqa
    .
    .
    .M.......  c /boot/grub2/grub.cfg
    .M.......  c /boot/efi/EFI/fedora/grub.cfg
    .M.......  c /boot/grub2/grub.cfg
    .M.......  c /boot/efi/EFI/fedora/grub.cfg
    .M.......  c /boot/grub2/grub.cfg

[1] a137559e71
[2] f28d50ee44

Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2024-10-03 15:55:41 +02:00
Nicolas Frayer
9e756e9174 grub2-mkconfig: Prevent mkconfig from overwriting grub cfg stub
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-10-03 15:54:29 +02:00
Stephen Gallagher
b9656d9fe9 Add package.cfg for ELN
Starting with fedpkg 1.45, we can now have `fedpkg build` automatically
trigger both the Rawhide and ELN build of this package, since it cannot
be rebuilt by the normal ELN auto-rebuild service due to the restricted
nature of this package. By adding this file, the maintainer does not
need to remember to build it for both releases manually.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2024-10-03 15:54:23 +02:00
Vitaly Kuznetsov
c9197cbf14 99-grub-mkconfig: Avoid disabling BLS usage for Xen HVM VMs
Xen PV and PVH guest use direct kernel boot and may use 'pygrub' tool to
parse guest's grub config. The tool is incompatible with BLS and thus
99-grub-mkconfig.install disables it. The problem is observed with HVM
guests which are 'normal' VMs and don't require pygrub compatibility. E.g.
legacy AWS instance types are of this kind. Disabling BLS for them is
undesired and unjustified. Luckily, kernel driver for Xen provides
'/sys/hypervisor/guest_type' interface telling us which type of guest are
we running in.

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
2024-10-03 15:54:16 +02:00
Erico Nunes
c0d3c22c26 20-grub.install: Add variable for per-kernel devicetree setting
In the old days before BLS, setting the GRUB_DEFAULT_DTB variable would
create a devicetree entry for each kernel, which would be prepended by
/dtb-${kernelver}, so it was possible to test a different dtb per
installed kernel.
In the transition to BLS, the variable was kept but the functionality is
now slightly different. The value of GRUB_DEFAULT_DTB goes to the
grubenv and that dtb is loaded from the /dtb symlink instead, which may
change with kernel installs.

This patch introduces a different variable which restores the previous
behavior, and adds the devicetree entry to each BLS entry, if set.
This variable is not set by default in an install, so it does not affect
users with default settings.
It is useful for developers and users of boards with not yet stable
upstream support, where changes to the dtb may cause behavior
difference. In these cases, it is desirable to not pick the dtb of just
the latest installed kernel, but keep previous kernel+dtb choices
unaffected as a fallback.

Signed-off-by: Erico Nunes <ernunes@redhat.com>
2024-10-03 15:54:01 +02:00
Nicolas Frayer
f1a4458417 KVM/PowerVM: Add support for KVM on PowerVM
Resolved: #2294883
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-10-03 15:53:24 +02:00
827df3a6bc Fix build when %_bindir==%_sbindir
Preparation for https://fedoraproject.org/wiki/Changes/Unify_bin_and_sbin.

Also remove duplicate listing in %files.

Signed-off-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
2024-10-03 15:48:21 +02:00
Nicolas Frayer
a6a9b36c8f cmd/search: Rework of CVE-2023-4001 fix
Related: #2224951
Resolved: #2263369
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-05-29 13:11:45 +02:00
Leo Sandoval
fa3dd080fa grub-mkconfig.in: turn off executable owner bit
Resolves: #2281464
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2024-05-24 18:29:07 -06:00
Nicolas Frayer
3e8a581288 fs/xfs: Handle non-continuous data blocks in directory extents
Related: #2254370
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-04-15 11:05:24 +02:00
Nicolas Frayer
d2fcd91e36 GRUB2 NTFS driver vulnerabilities
(CVE-2023-4692)
(CVE-2023-4693)
Resolves: #2236613
Resolves: #2241978
Resolves: #2241976
Resolves: #2238343
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-03-12 14:59:34 +01:00
Nicolas Frayer
de8520b84a grub-set-bootflag: Fix for CVE-2024-1048
(CVE-2024-1048)

Resolves: #2256678
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-02-07 10:40:35 +01:00
Leo Sandoval
29406ad333 xfs: include directory extent parsing patch
Patch is required to boot XFS-formatted partitions created with
xfsprogs 6.5.0

Resolves: #2259266
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2024-01-23 12:02:27 -06:00
Nicolas Frayer
6cc927e76b Compiler flags: ignore incompatible types for now as it prevents
CI builds

Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-01-18 15:22:45 +01:00
Nicolas Frayer
d2d9f6012b grub-core/commands: add flag to only search root dev
Resolves: #2223437
Resolves: #2224951
Resolves: #2258096
Resolves: CVE-2023-4001
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-01-18 15:22:34 +01:00
Nicolas Frayer
ebd311ec52 xfs: Remove directory extent parsing patch
Some bios systems can't boot with one of
the xfs upstream patches

Resolves: #2254370
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-01-17 15:23:37 +01:00
Hector Martin
0c1c9228d2 Switch memdisk compression to lzop
xz decompression is very slow and slows down boot by around 5 seconds on
aarch64/Apple M1 when using the default font. Switch to lzop, which
takes less than one second to uncompress.

This increases EFI core image size by around 11%.

Signed-off-by: Hector Martin <marcan@marcan.st>
2024-01-13 08:19:34 +09:00
Daan De Meyer
a162c0412f Drop grub2-tools obsoletes for grub2-tools-minimal
When installing grub2-tools grub2-tools-minimal is pulled in which
obsoletes grub2-tools causing grub2-tools to not get installed.
Remove the obsoletes so that grub2-tools can be installed again.

Signed-off-by: Daan De Meyer <daan.j.demeyer@gmail.com>
2024-01-11 19:10:34 +01:00
Nicolas Frayer
d11c8385d6 normal: fix prefix when loading modules
Resolves: #2209435
Resolves: #2173015
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2024-01-04 11:29:35 +01:00
Leo Sandoval
4562b72afc chainloader: remove device path debug message
Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2023-12-14 09:31:59 -06:00
Nicolas Frayer
cadd7a1196 Migrate to SPDX license
Please refer to https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_2

Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2023-12-01 17:09:13 +01:00
Nicolas Frayer
c4a49e5c9a fs/xfs: Add several fixes/improvements to xfs fs from upstream
Resolves: #2247926
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2023-12-01 10:31:36 +01:00
Nicolas Frayer
7b857b827a Linker: added --no-warn-rwx-segments linker option
added --no-warn-rwx-segments as build will fail after
ld.bfd default options have been changed.

Please refer:
https://fedoraproject.org/wiki/Changes/Linker_Error_On_Security_Issues

Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2023-11-15 15:30:41 +01:00
Nicolas Frayer
88924af554 Remove [Install] section from aux systemd units
Related: #2247635
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2023-11-14 17:29:09 +01:00
Hans de Goede
94ecc476ab spec: Fix enablement of grub services and timer
Fix enablement of grub services and timer:
- Switch back to static enablement for grub services in tools package
- Add %%triggerpostun to apply grub-boot-success.timer preset
  when upgrading from older versions where this was not a preset

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2247635
Signed-off-by: Christian Glombek <cglombek@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
2023-11-14 13:18:59 +01:00
Nicolas Frayer
8a9297c431 util: grub-install on EFI if forced
Resolves: #1917213
Resolves: #2240994
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2023-11-06 18:10:09 +01:00
Nicolas Frayer
07412b4a97 kern/ieee1275/init: ppc64: Restrict high memory in presence
of fadump

Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2023-10-20 18:11:41 +02:00
Janne Grunau
62027d5ee3 20-grub.install: Copy device-tree directory recursively
8800efcb0b replaced '-a' with '--preserve=timestamps' to avoid
preserving ownership information on non vfat file systems. This breaks
copying of the 'dtb' directory on aarch64 systems since '-a' implies
'-r'. Add '-r' to the single place where 'dtb/' is copied to /boot.

Resolves: #2243060
Fixes: 8800efcb0b ("Do not preserve ownership or xattrs on copied files")
Signed-off-by: Janne Grunau <j@jannau.net>
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2023-10-11 12:23:55 +02:00
Vitaly Kuznetsov
45dbc926bf Don't run 20-grub.install for UKIs
When kernel-install is called for a UKI, 20-grub.install copies it to /boot
which is totally unneeded, UKIs are now handled by the standard systemd's
90-uki-copy.install (systemd-253+) correctly which places them to the ESP.

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
2023-10-03 17:27:13 +02:00
e1206cf45b Let ln and cp remove the destination files
No functional change, but makes the script a bit shorter.

Signed-off-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
2023-10-03 17:12:53 +02:00
8800efcb0b Do not preserve ownership or xattrs on copied files
As noticed in https://bugzilla.redhat.com/show_bug.cgi?id=2239008#c16, when
compiling a kernel as a user and doing 'sudo make install', and when using a
non-vfat fs for the install destination, the file would end up owned by the
user. This is not useful at all, so let's only preserve the timestamps on the
copied file, no other attributes.

Signed-off-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
2023-10-03 17:12:48 +02:00
af4f1536b6 Rename installed kernel to match name used in boot entry
The mkbls() function would write 'linux /vmlinuz-${kernelver}' into the boot
loader entry. But the code that actually copies the file would use the original
file name with a version suffix ('cp -aT "$i" "/boot/${i##*/}-${KERNEL_VERSION}"').
In case of a local kernel build calling /sbin/installkernel this file name was
e.g. 'bzImage', so we would end up with '/bzImage-${KERNEL_VERSION}', which of
course doesn't match '/vmlinuz-*'. The script would later call 'grub2-mkrel'
on the name taken from the boot entry which would fail because the file does not
exist. Rename the argument to "vmlinuz", so that both parts match.

Tested by doing a local kernel build with 'sudo make install' at the end.

Signed-off-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
2023-10-03 17:12:39 +02:00
Nicolas Frayer
aa936e7b0c ofdisk: Fix missing #include in ofdisk.c
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2023-09-29 18:06:49 +02:00
Christian Glombek
6c038d7d02 spec: Fix grub2-systemd-integration.service name
Signed-off-by: Christian Glombek <cglombek@redhat.com>
2023-09-28 19:09:26 +02:00
Nicolas Frayer
52d23fe6f6 arm64: Use proper memory type for kernel allocation
Resolves: #2149020
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2023-09-14 18:26:26 +02:00
Nicolas Frayer
d161705351 spec: Use systemd presets and macros for units in tools package
Resolves: #2230575

Signed-off-by: Christian Glombek <cglombek@redhat.com>
2023-09-14 18:26:07 +02:00
Nicolas Frayer
5c4529ecac spec: Modified posttrans to harden grub config detection
Resolves: #2235692
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2023-09-01 11:12:53 +02:00
Nicolas Frayer
6d1f9f4a80 efi/http: change uint32_t to uintn_t
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2023-08-22 14:25:39 +02:00
Nicolas Frayer
5184f7bcf1 util: Enable default kernel for updates
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
2023-08-22 14:14:44 +02:00
Robbie Harwood
dc5c4e3f52 Add switch-root support to grub-emu
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2023-04-12 15:23:39 +00:00
Robbie Harwood
e6b8f35a69 Fix aa64 page fault with EFI_MEMORY_ATTRIBUTE_PROTOCOL
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2023-04-10 16:44:09 +00:00
Robbie Harwood
ab62564e2f tmp
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2023-03-31 17:47:53 -04:00