Commit graph

726 commits

Author SHA1 Message Date
Robbie Harwood
9c910dfa10 Fix appending signature support commit (thanks: pjones)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-24 15:11:16 -05:00
Robbie Harwood
1c4e61c989 Don't forget the sources file
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-24 13:35:00 -05:00
Robbie Harwood
8a74d28ac8 Life is pain, but especially when it's gnulib
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-02-24 13:25:56 -05:00
Robbie Harwood
3e40727f72 Skip machine ID check when updating BLS
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-01-20 17:52:23 -05:00
Robbie Harwood
a382c9e3c9 Bump release; no code chages
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-01-18 14:47:04 -05:00
Robbie Harwood
357489e3ea Add location of DejaVu Sans font
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-01-18 19:46:15 +00:00
Robbie Harwood
e602a0629d Update patches; minor changes at most, if correct
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-01-17 18:09:27 -05:00
Robbie Harwood
b256068060 btrfs: use full bootloader area
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-01-06 17:42:54 +00:00
Robbie Harwood
46317f98bf Bump to rerun signing (no code changes)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2021-12-10 17:34:40 +00:00
Robbie Harwood
d90546c5ee restore umask for grub.cfg (CVE-2021-3981)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2021-12-09 11:11:30 -05:00
Robbie Harwood
9fdaa794e0 Drop UI patches and update provenance information
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2021-11-04 12:30:16 -04:00
Peter Jones
af038a0bdc Revert "Don't harcode grub2 in the spec file"
Two issues:
- line 538 switches the filename from "grub" to "grub2" where it
  shouldn't
- in general, things that aren't referring to the packaging itself
  shouldn't be %{name}; it just makes them less flexible.

This reverts commit 967c5629ed.
2021-10-07 17:38:20 -04:00
Peter Jones
42a07486d8 Fix "grub2-mkimage --appended-signature-size" parsing.
Signed-off-by: Peter Jones <pjones@redhat.com>
2021-10-07 12:30:43 -04:00
Peter Jones
99bcf9931e Fix grub-mkimage --append-signature-size
0179-Add-suport-for-signing-grub-with-an-appended-signatu.patch was
written in Jun of 2020, before support for .sbat went upstream.  It adds
a command line option "--append-signature-size" to grub-mkimage with the
short argument '-s'.

Unfortunately, .sbat support also uses that short argument, and as a
result, trying to use "grub-mkimage --append-signature-size" on ppc64le
(where we need it) fails due to argument.sbat being set on a non-EFI
platform.

This patch makes the --append-signature-size use 'S' instead of 's'.

Related: rhbz#1951104
Signed-off-by: Peter Jones <pjones@redhat.com>
2021-10-06 10:09:21 -04:00
Robbie Harwood
b3b9566edf Rebuild; no code changes 2021-09-29 18:05:43 +00:00
Robbie Harwood
07cf41c169 fs/xfs: Fix unreadable filesystem with v4 superblock
While we're here, also: check for the PE magic for the compiled arch

Resolves: rhbz#2008819
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2021-09-29 12:12:55 -04:00
Robbie Harwood
64dc7670b0 Add rpminspect config file
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2021-09-23 16:44:52 -04:00
Javier Martinez Canillas
1f9e8074ae
A few fixes for ppc64le LPAR Secure Boot support
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-08-30 16:55:22 +02:00
Peter Jones
db96a0c4de grub.macros: Remove annobin plugin from linker flags
The annobin GCC plugin is now turned on linking for LTO mode but it causes
build failures on at least powerpc. The plugin is already removed from the
CFLAGS but was added again through LDFLAGS, remove from there as well.

Signed-off-by: Peter Jones <pjones@redhat.com>
2021-08-30 10:33:06 -04:00
Peter Jones
702732583b Fix aarch64 kernel alignment.
Signed-off-by: Peter Jones <pjones@redhat.com>
2021-08-24 11:24:20 -04:00
Javier Martinez Canillas
67f07b7c9e
Another set of fixes for 2.06
- Add luks2 to GRUB_MODULES
- 20-grub-install: Create a symvers.gz symbolic link
- 20-grub-install: Always use fedora as the boot entry --class
  Resolves: rhbz#1957014
- grub.macros: Install font in /boot/grub2 instead of the ESP
  Resolves: rhbz#1739762
- grub.macros: Use consistent file mode for legacy and EFI
  Resolves: rhbz#1965794
- Drop grub2 prelink configuration
  Resolves: rhbz#1659675
- Remove triggers needed to upgrade from legacy GRUB
- Don't harcode grub2 in the spec file
- Update to unifont-13.0.06
  Resolves: rhbz#1939125
- 20-grub-install: Use relative paths for btrfs in BLS snippets
  Resolves: rhbz#1906191
- Don't update the cmdline when generating legacy menuentry commands
- Suppress gettext error message
  Resolves: rhbz#1592124
- grub-boot-success.timer: Only run if not in a container
  Resolves: rhbz#1914571
- grub-set-password: Always use /boot/grub2/user.cfg as password default
  Resolves: rhbz#1955294
- Remove outdated URL for BLS document
  Resolves: rhbz#1926453
- templates: Check for EFI at runtime instead of config generation time
  Resolves: rhbz#1823864
- efi: Print an error if boot to firmware setup is not supported
  Resolves: rhbz#1823864

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-07-06 11:18:04 +02:00
Eduardo
fbeda573a9
20-grub-install: Use relative paths for btrfs in BLS snippets
When SUSE_BTRFS_SNAPSHOT_BOOTING=true is set in /etc/default/grub, paths
to kernel and initrd images need to be relative. Since are used along with
snapper, configured so the default btrfs subvolume is the current snapshot.

Resolves: rhbz#1906191
2021-06-30 11:38:48 +02:00
Javier Martinez Canillas
419340f25e
Update to unifont-13.0.06
Resolves: rhbz#1939125

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-06-30 09:52:19 +02:00
Javier Martinez Canillas
967c5629ed
Don't harcode grub2 in the spec file
There's a variable for this, use it consistently.

Suggested-by: Benjamin Herrenschmidt <benh@amazon.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-06-30 09:20:25 +02:00
Javier Martinez Canillas
5e2444babe
Remove triggers needed to upgrade from legacy GRUB
The legacy GRUB package (grub2 < 1.99-4) had a %preun scriptlet that did a
rm -f /boot/%{name}/*.{mod,img,lst} and caused users who upgraded to grub2
to have an empty /boot/%{name} directory, leading to an unbootable system.

To workaround this, a set of %triggerun and %triggerpostun triggers were
added that backup and restore the /boot/%{name} directory. But that was an
issue in Fedora 16, almost a decade ago. These aren't needed anymore.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-06-30 09:20:11 +02:00
Javier Martinez Canillas
8efaf82828
Drop grub2 prelink configuration
A /etc/prelink.conf.d/grub2.conf is shipped to avoid SELinux to warn about
security violations when SELinux is enforced and allow_execstack is off.

But the tools have been fixed a long time ago and the allow list shouldn't
be needed anymore, let's just drop it.

Resolves: rhbz#1659675

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-06-29 18:19:10 +02:00
Javier Martinez Canillas
504ecff2ed
grub.macros: Use consistent file mode for legacy and EFI
Currently the permissions are inconsistent for grub2-pc and grub2-efi:

$ rpm -qlvf --filesbypkg /boot/grub2/grub.cfg
...
grub2-efi-x64             /boot/grub2/grub.cfg
-rwx------    1 root     root
grub2-pc                  /boot/grub2/grub.cfg
-rw-r--r--    1 root     root

Resolves: rhbz#1965794

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-06-29 16:28:36 +02:00
Javier Martinez Canillas
9cf30d96e9
grub.macros: Install font in /boot/grub2 instead of the ESP
GRUB is now using /boot/grub2 as the directory where all the resources are
loaded, but the unicode.pf2 is still installed in the EFI System Partition.

Resolves: rhbz#1739762

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-06-29 16:28:36 +02:00
Javier Martinez Canillas
fc19d7847d
20-grub-install: Always use fedora as the boot entry --class
This is only used by themes and these assume that boot entries for Fedora
will be named "fedora". Currently we are using "kernel" that's not useful.

Resolves: rhbz#1957014

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-06-29 15:31:16 +02:00
Javier Martinez Canillas
a02c397786
20-grub-install: Create a symvers.gz symbolic link
This is not needed for boot, just a symlink would be enough for
tools that expect this file to be present in the boot directory.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-06-21 08:50:53 +02:00
Austin Conatser
485dd93ff1 Add luks2 to GRUB_MODULES
Enable limited luks2 support for the built images.
Argon2 keys. the default used in cryptsetup for luks2, are not yet supported.
2021-06-17 01:24:42 +00:00
Javier Martinez Canillas
3459058062
Only try to generate a config if the ESP is mounted
The posttran scriptlet attempts to generate a GRUB configuration if there
isn't one in the EFI System Partition. But this leads to a failure if the
grub2 package is installed in a container.

To avoid this issue, only attempt to generate a GRUB config if the ESP is
mounted in /boot/efi.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-06-15 16:54:32 +02:00
Javier Martinez Canillas
13985b0e4c
Update to 2.06 final release and ton of fixes
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-06-14 11:11:36 +02:00
Frederick Grose
6d09d20265 grub.macros: Include f2fs in GRUB_MODULES
Enable GRUB to read F2FS filesystems.
2021-06-11 15:31:38 +00:00
Javier Martinez Canillas
6dc8b4a57a
Generate a GRUB config if is not present in the ESP
If there's no GRUB config in the ESP, generate one. This is a full config
but later the posttrans script will convert it to the minimal config stub.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-06-11 17:11:18 +02:00
Benjamin Herrenschmidt
6b5d11f760
Use the proper macro instead of hard coding fedora
The efi-srpm-macros package contais a macro for the ESP vendor directory
to make sure that the correct one for each distro is used. But the grub2
package is instead hardcoding it to "fedora", use the macro instead.

Signed-off-by: Benjamin Herrenschmidt <benh@amazon.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-06-10 10:29:18 +02:00
Javier Martinez Canillas
e91046d264
Add XFS needsrepair support
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-05-03 17:26:40 +02:00
Javier Martinez Canillas
ddafa09a88
Find and claim more memory for ieee1275
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-04-23 11:30:55 +02:00
Javier Martinez Canillas
5ef95ecb65
Add XFS bigtime support
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-04-14 12:59:23 +02:00
Javier Martinez Canillas
2f63333bcf
Add again 20_linux_xen script fix that got dropped by mistake
Resolves: rhbz#1858364

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-04-12 01:23:27 +02:00
Javier Martinez Canillas
d672447dfb
Prevent %posttrans scriptlet to fail if grubenv isn't present in the ESP
Also simplify the logic to determine the filesystem UUID of the partition
that contains the /boot/grub2 directory.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-03-25 23:00:25 +01:00
Javier Martinez Canillas
51b7d6220e
Fix a couple of merge mistakes made when rebasing to 2.06~rc1
Resolves: rhbz#1940524

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-03-24 09:39:42 +01:00
Javier Martinez Canillas
46968b6e63
Update to 2.06~rc1 to fix a bunch of CVEs
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-03-15 10:13:33 +01:00
Javier Martinez Canillas
89b6faf012
Fix config file generation failing due invalid petitboot version value
Resolves: rhbz#1921479

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-03-11 13:15:37 +01:00
Javier Martinez Canillas
3b8cfc9cf6
Fix keyboards that report IBM PC AT scan codes
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-03-05 11:37:24 +01:00
Javier Martinez Canillas
32351b3093
Don't attempt to unify if there is no grub.cfg on EFI
Resolves: rhbz#1933085

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-02-25 18:26:22 +01:00
Christian Kellner
931f4f0364 Don't attempt to unify if there is no grub.cfg on EFI
If there is no grub config, for example when installing the
system via anaconda, there is no need to attempt a grub
configuration unification. It will indeed actually break
because it will try to copy a non-existent file.

Resolves: rhbz#1933085
2021-02-25 18:17:46 +01:00
Javier Martinez Canillas
c65a33ebca
Switch EFI users to new config and fix ESC no longer showing the menu
Resolves: rhbz#1918817
Resolves: rhbz#1928595

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-02-22 20:50:22 +01:00
Christian Kellner
a32aa179fa Transition existing installations to unified GRUB configuration
The previous commits, especially b14117, unified the grub config
locations across all platforms. In brief, this means that in the
case of EFI, the config file in the EFI System Partition (ESP)
is now meant to be a small stub config file that will in turn
load the main configuration in /boot/grub2, which is used on
all other platforms as well. For new installations all this is
done by the Anaconda installer. But existing installations also
need to be adapted.
Add a %posttrans script to the grub2-common package that will,
if a non-unified installation is detected, transition it into
a unified one. This is done by moving the main grub.cfg file
from the ESP to /boot/grub2, creating minimal stub on the ESP
instead. Additionally, the grubenv file is also moved from the
ESP to /boot/grub2.
The detection of the non-unified installation is done by
checking if the grub.cfg on the ESP contains the 'configfile'
directive. If so, it is assumed the system has a unified
grub configuration.

Signed-off-by: Christian Kellner <christian@kellner.me>
2021-02-22 19:32:42 +01:00
Javier Martinez Canillas
b141171629
Appended signatures support, unify GRUB config location and some fixes
- Remove -fcf-protection compiler flag to allow i386 builds (law)
  Related: rhbz#1915452
- Unify GRUB configuration file location across all platforms
  Related: rhbz#1918817
- Add 'at_keyboard_fallback_set' var to force the set manually (rmetrich)
- Add appended signatures support for ppc64le LPAR Secure Boot (daxtens)

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-02-09 01:04:42 +01:00