0179-Add-suport-for-signing-grub-with-an-appended-signatu.patch was
written in Jun of 2020, before support for .sbat went upstream. It adds
a command line option "--append-signature-size" to grub-mkimage with the
short argument '-s'.
Unfortunately, .sbat support also uses that short argument, and as a
result, trying to use "grub-mkimage --append-signature-size" on ppc64le
(where we need it) fails due to argument.sbat being set on a non-EFI
platform.
This patch makes the --append-signature-size use 'S' instead of 's'.
Related: rhbz#1951104
Signed-off-by: Peter Jones <pjones@redhat.com>
The annobin GCC plugin is now turned on linking for LTO mode but it causes
build failures on at least powerpc. The plugin is already removed from the
CFLAGS but was added again through LDFLAGS, remove from there as well.
Signed-off-by: Peter Jones <pjones@redhat.com>
- Add luks2 to GRUB_MODULES
- 20-grub-install: Create a symvers.gz symbolic link
- 20-grub-install: Always use fedora as the boot entry --class
Resolves: rhbz#1957014
- grub.macros: Install font in /boot/grub2 instead of the ESP
Resolves: rhbz#1739762
- grub.macros: Use consistent file mode for legacy and EFI
Resolves: rhbz#1965794
- Drop grub2 prelink configuration
Resolves: rhbz#1659675
- Remove triggers needed to upgrade from legacy GRUB
- Don't harcode grub2 in the spec file
- Update to unifont-13.0.06
Resolves: rhbz#1939125
- 20-grub-install: Use relative paths for btrfs in BLS snippets
Resolves: rhbz#1906191
- Don't update the cmdline when generating legacy menuentry commands
- Suppress gettext error message
Resolves: rhbz#1592124
- grub-boot-success.timer: Only run if not in a container
Resolves: rhbz#1914571
- grub-set-password: Always use /boot/grub2/user.cfg as password default
Resolves: rhbz#1955294
- Remove outdated URL for BLS document
Resolves: rhbz#1926453
- templates: Check for EFI at runtime instead of config generation time
Resolves: rhbz#1823864
- efi: Print an error if boot to firmware setup is not supported
Resolves: rhbz#1823864
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
When SUSE_BTRFS_SNAPSHOT_BOOTING=true is set in /etc/default/grub, paths
to kernel and initrd images need to be relative. Since are used along with
snapper, configured so the default btrfs subvolume is the current snapshot.
Resolves: rhbz#1906191
There's a variable for this, use it consistently.
Suggested-by: Benjamin Herrenschmidt <benh@amazon.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
The legacy GRUB package (grub2 < 1.99-4) had a %preun scriptlet that did a
rm -f /boot/%{name}/*.{mod,img,lst} and caused users who upgraded to grub2
to have an empty /boot/%{name} directory, leading to an unbootable system.
To workaround this, a set of %triggerun and %triggerpostun triggers were
added that backup and restore the /boot/%{name} directory. But that was an
issue in Fedora 16, almost a decade ago. These aren't needed anymore.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
A /etc/prelink.conf.d/grub2.conf is shipped to avoid SELinux to warn about
security violations when SELinux is enforced and allow_execstack is off.
But the tools have been fixed a long time ago and the allow list shouldn't
be needed anymore, let's just drop it.
Resolves: rhbz#1659675
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
GRUB is now using /boot/grub2 as the directory where all the resources are
loaded, but the unicode.pf2 is still installed in the EFI System Partition.
Resolves: rhbz#1739762
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
This is only used by themes and these assume that boot entries for Fedora
will be named "fedora". Currently we are using "kernel" that's not useful.
Resolves: rhbz#1957014
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
This is not needed for boot, just a symlink would be enough for
tools that expect this file to be present in the boot directory.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
The posttran scriptlet attempts to generate a GRUB configuration if there
isn't one in the EFI System Partition. But this leads to a failure if the
grub2 package is installed in a container.
To avoid this issue, only attempt to generate a GRUB config if the ESP is
mounted in /boot/efi.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
If there's no GRUB config in the ESP, generate one. This is a full config
but later the posttrans script will convert it to the minimal config stub.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
The efi-srpm-macros package contais a macro for the ESP vendor directory
to make sure that the correct one for each distro is used. But the grub2
package is instead hardcoding it to "fedora", use the macro instead.
Signed-off-by: Benjamin Herrenschmidt <benh@amazon.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Also simplify the logic to determine the filesystem UUID of the partition
that contains the /boot/grub2 directory.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
If there is no grub config, for example when installing the
system via anaconda, there is no need to attempt a grub
configuration unification. It will indeed actually break
because it will try to copy a non-existent file.
Resolves: rhbz#1933085
The previous commits, especially b14117, unified the grub config
locations across all platforms. In brief, this means that in the
case of EFI, the config file in the EFI System Partition (ESP)
is now meant to be a small stub config file that will in turn
load the main configuration in /boot/grub2, which is used on
all other platforms as well. For new installations all this is
done by the Anaconda installer. But existing installations also
need to be adapted.
Add a %posttrans script to the grub2-common package that will,
if a non-unified installation is detected, transition it into
a unified one. This is done by moving the main grub.cfg file
from the ESP to /boot/grub2, creating minimal stub on the ESP
instead. Additionally, the grubenv file is also moved from the
ESP to /boot/grub2.
The detection of the non-unified installation is done by
checking if the grub.cfg on the ESP contains the 'configfile'
directive. If so, it is assumed the system has a unified
grub configuration.
Signed-off-by: Christian Kellner <christian@kellner.me>
- Remove -fcf-protection compiler flag to allow i386 builds (law)
Related: rhbz#1915452
- Unify GRUB configuration file location across all platforms
Related: rhbz#1918817
- Add 'at_keyboard_fallback_set' var to force the set manually (rmetrich)
- Add appended signatures support for ppc64le LPAR Secure Boot (daxtens)
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
The GRUB configuration files layout on EFI platforms isn't consistent with
other non-EFI platforms (e.g: legacy BIOS x86 and Open Firmware ppc64le).
On platforms using EFI, the GRUB config file (grub.cfg) and environment
variables block (grubenv) are stored in the EFI System Partition (ESP),
while for non-EFI platforms these are stored in the boot partition (or
/boot directory if not boot partition is used).
The reason for this is that the path where the GRUB bootloader searches
for its configuration file varies depending on the firmware interface.
For EFI the GRUB binary is located in the ESP and it expects to find its
config file in that location as well. But this creates the mentioned
inconsistency, because the GRUB configuration file has to be stored in
/boot/efi/EFI/fedora/grub.cfg while for non-EFI platforms it has to be
stored in /boot/grub2/grub.cfg.
To allow all platforms to have the GRUB config file in the same location,
only a minimal config file could be stored in the ESP and this will load
the one that is stored in /boot/grub2.
Related: rhbz#1918817
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
GRUB uses -march=i386 to build the x86 BIOS code but recent changes in the
default %{optflags} enabled the -fcf-protection flag that's not compatible
with pre-i686 CPUs.
This led to a build error in the grub2 package. To avoid this failure and
let the package to build again, remove the -fcf-protection flag for now.
Related: rhbz#1915452
Signed-off-by: Jeff Law <law@redhat.com>
Users can unintentionally remove the grub2 packages and break their system
by deleting the bootloader. To prevent this mark them as protected by DNF.
Resolves: rhbz#1874541
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
The /boot/grub2/grubenv file is not installed by the grub2 packages but
is either a symbolic link created on %install or a regular file created
by Anaconda during installation.
This is causing the tps-rpmtest to fail in some architectures since the
file attributes don't match what's expected by the package. Because is
a special file, make verification to ignore the size, mode, checksum
and mtime attributes.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>