From 2bd82f5d9353ecf7702ff3a7d51110adf7e625ec Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 03 2020 11:49:37 +0000 Subject: import grub2-2.02-90.el8 --- diff --git a/SOURCES/0277-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch b/SOURCES/0277-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch index 293500b..f8a73b7 100644 --- a/SOURCES/0277-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch +++ b/SOURCES/0277-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch @@ -38,7 +38,7 @@ Aborted (core dumped) $ wc -c env 0 grubenv -Resolves: rhbz#1836196 +Resolves: rhbz#1761496 Reported-by: Renaud Métrich Signed-off-by: Javier Martinez Canillas diff --git a/SOURCES/0315-blscfg-Always-look-for-BLS-snippets-in-the-root-devi.patch b/SOURCES/0315-blscfg-Always-look-for-BLS-snippets-in-the-root-devi.patch new file mode 100644 index 0000000..e2e2e51 --- /dev/null +++ b/SOURCES/0315-blscfg-Always-look-for-BLS-snippets-in-the-root-devi.patch @@ -0,0 +1,47 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Tue, 11 Aug 2020 13:16:39 +0200 +Subject: [PATCH] blscfg: Always look for BLS snippets in the root device + +The blscfg command trying to load the BLS snippets from different devices +is a left over from when these where located in the ESP in the EFI case. + +But now that are always located in the /boot directory, the BLS snippets +have to be loaded from the root device just like the other files that are +in the /boot directory (kernel and initrd images). + +This only worked for legacy BIOS because the boot and root variables were +set to the same value. But doesn't work when trying to use a common GRUB +config file that could be shared between an EFI and legacy BIOS install. + +That kind of configuration is needed for example on hybrid images that are +booted using either EFI or legacy BIOS firmwares. + +Resolves: rhbz#1850193 + +Signed-off-by: Javier Martinez Canillas +--- + grub-core/commands/blscfg.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/grub-core/commands/blscfg.c b/grub-core/commands/blscfg.c +index c92e1c84543..70ce5c7bf6f 100644 +--- a/grub-core/commands/blscfg.c ++++ b/grub-core/commands/blscfg.c +@@ -874,14 +874,12 @@ grub_cmd_blscfg (grub_extcmd_context_t ctxt UNUSED, + + #ifdef GRUB_MACHINE_EMU + devid = "host"; +-#elif defined(GRUB_MACHINE_EFI) ++#else + devid = grub_env_get ("root"); +-#else +- devid = grub_env_get ("boot"); + #endif + if (!devid) + return grub_error (GRUB_ERR_FILE_NOT_FOUND, +- N_("variable `%s' isn't set"), "boot"); ++ N_("variable `%s' isn't set"), "root"); + + grub_dprintf ("blscfg", "opening %s\n", devid); + dev = grub_device_open (devid); diff --git a/SOURCES/0316-blscfg-Don-t-hardcode-an-env-var-as-fallback-for-the.patch b/SOURCES/0316-blscfg-Don-t-hardcode-an-env-var-as-fallback-for-the.patch new file mode 100644 index 0000000..30bbae3 --- /dev/null +++ b/SOURCES/0316-blscfg-Don-t-hardcode-an-env-var-as-fallback-for-the.patch @@ -0,0 +1,47 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Tue, 11 Aug 2020 13:16:45 +0200 +Subject: [PATCH] blscfg: Don't hardcode an env var as fallback for the BLS + options field + +If the BLS fragments don't have an options field or if this was set to an +environment variable that was not defined in the grubenv file, the blscfg +module searches for a default_kernelopts variable that is defined in the +grub.cfg file. + +But the blscfg module shouldn't hardcode fallbacks variables and instead +this logic should be handled in the GRUB config file itself. + +Also, add a comment explaining where the kernelopts variable is supposed +to be defined and what is the process for the user to change its value. + +Resolves: rhbz#1850193 + +Signed-off-by: Javier Martinez Canillas +--- + util/grub.d/10_linux.in | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in +index 58d18504790..48857bb81d3 100644 +--- a/util/grub.d/10_linux.in ++++ b/util/grub.d/10_linux.in +@@ -158,7 +158,17 @@ linux_entry () + populate_header_warn + + cat << EOF +-set default_kernelopts="root=${linux_root_device_thisversion} ro ${args}" ++# The kernelopts variable should be defined in the grubenv file. But to ensure that menu ++# entries populated from BootLoaderSpec files that use this variable work correctly even ++# without a grubenv file, define a fallback kernelopts variable if this has not been set. ++# ++# The kernelopts variable in the grubenv file can be modified using the grubby tool or by ++# executing the grub2-mkconfig tool. For the latter, the values of the GRUB_CMDLINE_LINUX ++# and GRUB_CMDLINE_LINUX_DEFAULT options from /etc/default/grub file are used to set both ++# the kernelopts variable in the grubenv file and the fallback kernelopts variable. ++if [ -z "\${kernelopts}" ]; then ++ set kernelopts="root=${linux_root_device_thisversion} ro ${args}" ++fi + + insmod blscfg + blscfg diff --git a/SOURCES/0317-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch b/SOURCES/0317-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch new file mode 100644 index 0000000..60e58b0 --- /dev/null +++ b/SOURCES/0317-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch @@ -0,0 +1,51 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Mon, 24 Aug 2020 14:46:27 +0200 +Subject: [PATCH] tftp: roll over block counter to prevent timeouts with data + packets + +The block number is a 16-bit counter which only allows to fetch +files no bigger than 65535 * blksize. To avoid this limit, the +counter is rolled over. This behavior isn't defined in RFC 1350 +but is handled by many TFTP servers and it's what GRUB was doing +before implicitly due an overflow. + +Fixing that bug led to TFTP timeouts, since GRUB wasn't acking +data packets anymore for files with size bigger than the maximum +mentioned above. Restore the old behavior to prevent this issue. + +Resolves: rhbz#1871034 + +Suggested-by: Peter Jones +Signed-off-by: Javier Martinez Canillas +--- + grub-core/net/tftp.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c +index 2c52f692b25..4f38d7ef1f7 100644 +--- a/grub-core/net/tftp.c ++++ b/grub-core/net/tftp.c +@@ -183,8 +183,20 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)), + return GRUB_ERR_NONE; + } + +- /* Ack old/retransmitted block. */ +- if (grub_be_to_cpu16 (tftph->u.data.block) < data->block + 1) ++ /* ++ * Ack old/retransmitted block. ++ * ++ * The block number is a 16-bit counter which only allows to fetch ++ * files no bigger than 65535 * blksize. To avoid this limit, the ++ * counter is rolled over. This behavior isn't defined in RFC 1350 ++ * but is handled by many TFTP servers and it's what GRUB was doing ++ * before implicitly due an overflow. ++ * ++ * Fixing that bug led to TFTP timeouts, since GRUB wasn't acking ++ * data packets anymore for files with size bigger than the maximum ++ * mentioned above. Restore the old behavior to prevent this issue. ++ */ ++ if (grub_be_to_cpu16 (tftph->u.data.block) < ((data->block + 1) & 0xffffu)) + ack (data, grub_be_to_cpu16 (tftph->u.data.block)); + /* Ignore unexpected block. */ + else if (grub_be_to_cpu16 (tftph->u.data.block) > data->block + 1) diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der deleted file mode 100644 index 44a2563..0000000 Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ diff --git a/SOURCES/centossecureboot001.crt b/SOURCES/centossecureboot001.crt deleted file mode 100644 index 321c4ec..0000000 --- a/SOURCES/centossecureboot001.crt +++ /dev/null @@ -1,81 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - b6:16:15:71:72:fb:31:7e - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN=CentOS Secure Boot (CA key 1)/emailAddress=security@centos.org - Validity - Not Before: Aug 1 11:47:30 2018 GMT - Not After : Dec 31 11:47:30 2037 GMT - Subject: CN=CentOS Secure Boot (key 1)/emailAddress=security@centos.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:c1:a3:6a:f4:2d:71:83:6c:21:ca:0c:b7:ac:fa: - 76:80:43:03:40:87:5d:de:e9:1e:df:ad:e7:2b:51: - cb:f8:31:0f:9a:db:ab:23:25:04:11:05:57:7d:f2: - 4b:8d:1e:b3:75:78:1d:b9:57:8b:18:0b:bb:7e:e3: - 24:0f:6a:40:5f:2b:4f:03:a5:85:94:d2:f9:08:a0: - bc:db:a5:ea:4f:7f:e8:7c:d1:a9:f8:f0:9c:25:18: - 00:14:c4:c4:35:7d:1d:4c:8a:8d:95:f8:ed:65:97: - a5:a4:da:7d:cb:f0:33:3b:b7:03:94:68:47:05:57: - 6c:96:91:ac:14:f2:e3:f6:6d:4a:18:cf:68:8a:35: - 6f:8e:26:99:7f:db:c9:83:54:c2:c3:bf:ad:45:a0: - aa:a0:86:5f:20:b1:86:1b:ae:b7:28:15:11:f9:65: - 53:5d:70:33:9b:a3:c7:b5:c8:11:ff:55:3b:e7:46: - f1:6c:6b:8c:bb:f2:9f:36:23:b1:2d:23:2f:8f:4f: - 6c:a8:cc:ae:f5:56:9e:22:6c:0e:9a:4a:b1:bd:b2: - 76:15:5c:05:85:b8:5e:dc:8c:a5:c3:e0:75:51:a4: - 94:9b:03:2e:7b:f8:d3:b9:dd:7f:88:ce:2e:2f:28: - 4c:b4:92:2f:e6:e0:67:0a:d0:ff:c5:d2:79:a6:ef: - 94:0f - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Key Usage: - Digital Signature - X509v3 Subject Key Identifier: - F0:37:C6:EA:EC:36:D4:05:7A:52:6C:0E:C6:D5:A9:5B:32:4E:E1:29 - X509v3 Authority Key Identifier: - keyid:54:EC:81:85:89:3E:E9:1A:DB:08:F7:44:88:54:7E:8E:3F:74:3A:F3 - - Signature Algorithm: sha256WithRSAEncryption - 97:97:ba:a6:0b:5b:bb:84:39:2e:ef:8b:51:9a:89:bb:65:3c: - dc:15:d0:5a:88:c5:af:ce:93:f5:c1:74:98:15:59:a9:38:da: - 11:fd:46:d5:4f:23:7c:03:1f:ae:0c:70:93:94:a7:61:2f:4b: - 2f:5f:bb:cc:8a:d7:4a:24:66:73:85:b4:19:13:fc:6a:61:4a: - 28:1f:a2:38:f4:72:90:03:c4:3e:64:63:8b:fb:15:22:22:4e: - b9:43:d9:b4:3d:3a:60:c1:4d:3a:09:85:68:7a:bc:3b:f9:ef: - f3:f5:e9:c9:4f:80:8c:c6:e9:cb:ef:28:44:b0:5d:d4:9e:4f: - 0f:02:9a:65:aa:98:35:b4:6f:d2:80:e3:08:ef:12:d0:17:56: - a6:a1:42:1e:1d:ab:e5:33:c0:fd:88:0d:40:42:81:c8:27:30: - 17:07:57:3e:05:9d:aa:05:0e:5b:3a:79:b4:29:aa:7c:42:5a: - ad:43:59:fb:34:4d:dc:62:58:63:e4:fb:de:bb:fd:6c:4e:97: - 58:f4:b9:99:4a:71:fe:7f:16:50:55:25:46:39:96:9b:88:6c: - 75:19:33:9e:70:b3:04:82:fe:16:a8:8e:22:47:83:6d:16:77: - da:26:ad:31:d8:06:6d:c5:7e:46:4b:21:ab:ae:ec:2a:93:71: - da:7f:89:1d ------BEGIN CERTIFICATE----- -MIIDdTCCAl2gAwIBAgIJALYWFXFy+zF+MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV -BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB -FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE4MDgwMTExNDczMFoXDTM3MTIzMTEx -NDczMFowSTEjMCEGA1UEAxMaQ2VudE9TIFNlY3VyZSBCb290IChrZXkgMSkxIjAg -BgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDBo2r0LXGDbCHKDLes+naAQwNAh13e6R7frecrUcv4 -MQ+a26sjJQQRBVd98kuNHrN1eB25V4sYC7t+4yQPakBfK08DpYWU0vkIoLzbpepP -f+h80an48JwlGAAUxMQ1fR1Mio2V+O1ll6Wk2n3L8DM7twOUaEcFV2yWkawU8uP2 -bUoYz2iKNW+OJpl/28mDVMLDv61FoKqghl8gsYYbrrcoFRH5ZVNdcDObo8e1yBH/ -VTvnRvFsa4y78p82I7EtIy+PT2yozK71Vp4ibA6aSrG9snYVXAWFuF7cjKXD4HVR -pJSbAy57+NO53X+Izi4vKEy0ki/m4GcK0P/F0nmm75QPAgMBAAGjXTBbMAwGA1Ud -EwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBTwN8bq7DbUBXpSbA7G1alb -Mk7hKTAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q68zANBgkqhkiG9w0B -AQsFAAOCAQEAl5e6pgtbu4Q5Lu+LUZqJu2U83BXQWojFr86T9cF0mBVZqTjaEf1G -1U8jfAMfrgxwk5SnYS9LL1+7zIrXSiRmc4W0GRP8amFKKB+iOPRykAPEPmRji/sV -IiJOuUPZtD06YMFNOgmFaHq8O/nv8/XpyU+AjMbpy+8oRLBd1J5PDwKaZaqYNbRv -0oDjCO8S0BdWpqFCHh2r5TPA/YgNQEKByCcwFwdXPgWdqgUOWzp5tCmqfEJarUNZ -+zRN3GJYY+T73rv9bE6XWPS5mUpx/n8WUFUlRjmWm4hsdRkznnCzBIL+FqiOIkeD -bRZ32iatMdgGbcV+Rkshq67sKpNx2n+JHQ== ------END CERTIFICATE----- diff --git a/SOURCES/centossecureboot202.crt b/SOURCES/centossecureboot202.crt deleted file mode 100644 index fba3730..0000000 --- a/SOURCES/centossecureboot202.crt +++ /dev/null @@ -1,84 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 93:c2:04:d8:bd:77:6b:12 - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN=CentOS Secure Boot CA 2/emailAddress=security@centos.org - Validity - Not Before: Jun 9 10:37:54 2020 GMT - Not After : Jan 18 10:37:54 2038 GMT - Subject: CN=CentOS Secure Boot Signing 202/emailAddress=security@centos.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: - 00:d4:f0:32:4d:50:7a:c0:41:d6:61:68:59:5e:5b: - ce:65:e3:e9:7b:01:e4:53:94:c9:b7:c1:6b:b7:12: - 0b:bc:8f:d7:17:1b:c1:77:3a:08:17:ba:23:f1:bd: - 98:f0:7c:cb:96:70:2e:0e:2e:96:66:b7:9f:29:12: - 6f:ee:30:33:a1:a5:ee:f9:4b:a3:fb:52:45:d8:7e: - c2:e8:a9:20:a9:f2:2e:f4:44:b7:85:3f:34:7c:c0: - 73:1d:73:63:2f:11:a0:7d:df:e7:5a:20:b9:b9:ff: - 5d:0e:6d:90:86:1f:2e:fa:c7:b5:94:37:80:46:0d: - fb:5f:f8:26:f4:ce:2f:0d:5b:bf:e5:8d:a5:12:d7: - ba:cf:16:f2:5c:10:ae:a0:80:a8:dc:c4:6b:00:24: - f4:4b:f0:01:82:7e:4b:1c:b6:d6:ac:e1:72:32:07: - 5d:48:4a:cd:ba:5c:9c:09:72:89:b2:2e:60:f7:b7: - ed:ea:b6:0d:ae:63:f8:09:a1:8f:62:ee:09:d2:cb: - 0a:81:df:7c:72:4b:bf:bd:fb:59:24:84:1f:1d:ce: - 36:bc:4c:13:84:ca:c5:e0:81:bb:ec:61:8f:9f:78: - 88:43:8d:e0:16:b2:ab:90:14:23:29:ce:1d:e7:a1: - bb:4a:93:f9:f8:8d:b8:ff:2f:30:74:66:b2:31:89: - b1:7d - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Key Usage: critical - Digital Signature - X509v3 Extended Key Usage: critical - Code Signing - X509v3 Subject Key Identifier: - 1E:55:FF:FF:01:71:5F:F1:28:7F:C8:A9:7C:AF:83:9F:ED:7A:33:0B - X509v3 Authority Key Identifier: - keyid:70:00:7F:99:20:9C:12:6B:E1:47:74:EA:EC:7B:6D:96:31:F3:4D:CA - - Signature Algorithm: sha256WithRSAEncryption - 6b:1b:fa:f3:a8:c0:1e:e7:55:49:f2:4e:16:1f:9a:1b:22:9c: - ff:c9:81:d0:5b:d6:28:3c:38:91:65:b5:ca:63:e6:9d:13:2d: - 5f:f5:cc:67:c2:82:55:73:8f:8b:0c:0c:a9:60:2a:a8:b2:19: - c1:a7:87:94:d8:69:5e:3c:88:e5:32:8a:4c:a6:6f:69:8b:c5: - f2:7e:8e:d2:af:37:2d:27:73:c7:ad:9d:bc:14:08:a8:aa:57: - 22:37:be:c6:d2:2d:a3:70:81:4a:88:8c:a3:44:89:6c:7d:9d: - 9f:db:ff:5c:c6:ec:6d:97:b0:08:8d:76:c6:14:d0:25:81:a3: - 09:b6:f2:89:32:12:b2:f2:71:71:b6:ac:c1:65:d1:9c:6b:e1: - a4:4e:74:d0:01:17:ad:38:0f:17:86:07:56:b3:a1:86:5d:99: - ef:d6:55:98:b9:ce:63:46:8b:37:c4:53:55:8b:7a:10:75:90: - fd:e6:62:f0:6c:af:89:91:17:34:f7:99:77:6d:29:fa:92:bb: - c3:45:77:fe:a3:15:da:54:7d:47:16:b6:6f:94:09:b8:5f:ca: - e9:34:a2:bf:18:cd:d3:f4:17:2c:98:e4:e4:ca:46:ad:4b:a4: - 34:77:47:ec:5d:21:a6:cf:5c:b9:5a:47:ca:04:a1:93:56:13: - 0a:cc:47:91 ------BEGIN CERTIFICATE----- -MIIDjjCCAnagAwIBAgIJAJPCBNi9d2sSMA0GCSqGSIb3DQEBCwUAMEYxIDAeBgNV -BAMMF0NlbnRPUyBTZWN1cmUgQm9vdCBDQSAyMSIwIAYJKoZIhvcNAQkBFhNzZWN1 -cml0eUBjZW50b3Mub3JnMB4XDTIwMDYwOTEwMzc1NFoXDTM4MDExODEwMzc1NFow -TTEnMCUGA1UEAwweQ2VudE9TIFNlY3VyZSBCb290IFNpZ25pbmcgMjAyMSIwIAYJ -KoZIhvcNAQkBFhNzZWN1cml0eUBjZW50b3Mub3JnMIIBIjANBgkqhkiG9w0BAQEF -AAOCAQ8AMIIBCgKCAQEA1PAyTVB6wEHWYWhZXlvOZePpewHkU5TJt8FrtxILvI/X -FxvBdzoIF7oj8b2Y8HzLlnAuDi6WZrefKRJv7jAzoaXu+Uuj+1JF2H7C6KkgqfIu -9ES3hT80fMBzHXNjLxGgfd/nWiC5uf9dDm2Qhh8u+se1lDeARg37X/gm9M4vDVu/ -5Y2lEte6zxbyXBCuoICo3MRrACT0S/ABgn5LHLbWrOFyMgddSErNulycCXKJsi5g -97ft6rYNrmP4CaGPYu4J0ssKgd98cku/vftZJIQfHc42vEwThMrF4IG77GGPn3iI -Q43gFrKrkBQjKc4d56G7SpP5+I24/y8wdGayMYmxfQIDAQABo3gwdjAMBgNVHRMB -Af8EAjAAMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzAd -BgNVHQ4EFgQUHlX//wFxX/Eof8ipfK+Dn+16MwswHwYDVR0jBBgwFoAUcAB/mSCc -EmvhR3Tq7HttljHzTcowDQYJKoZIhvcNAQELBQADggEBAGsb+vOowB7nVUnyThYf -mhsinP/JgdBb1ig8OJFltcpj5p0TLV/1zGfCglVzj4sMDKlgKqiyGcGnh5TYaV48 -iOUyikymb2mLxfJ+jtKvNy0nc8etnbwUCKiqVyI3vsbSLaNwgUqIjKNEiWx9nZ/b -/1zG7G2XsAiNdsYU0CWBowm28okyErLycXG2rMFl0Zxr4aROdNABF604DxeGB1az -oYZdme/WVZi5zmNGizfEU1WLehB1kP3mYvBsr4mRFzT3mXdtKfqSu8NFd/6jFdpU -fUcWtm+UCbhfyuk0or8YzdP0FyyY5OTKRq1LpDR3R+xdIabPXLlaR8oEoZNWEwrM -R5E= ------END CERTIFICATE----- diff --git a/SOURCES/centossecurebootca2.der b/SOURCES/centossecurebootca2.der deleted file mode 100644 index 42bdfcf..0000000 Binary files a/SOURCES/centossecurebootca2.der and /dev/null differ diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches index 681d33d..70e5e54 100644 --- a/SOURCES/grub.patches +++ b/SOURCES/grub.patches @@ -312,3 +312,6 @@ Patch0311: 0311-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch Patch0312: 0312-linux-loader-avoid-overflow-on-initrd-size-calculati.patch Patch0313: 0313-linuxefi-fail-kernel-validation-without-shim-protoco.patch Patch0314: 0314-linux-Fix-integer-overflows-in-initrd-size-handling.patch +Patch0315: 0315-blscfg-Always-look-for-BLS-snippets-in-the-root-devi.patch +Patch0316: 0316-blscfg-Don-t-hardcode-an-env-var-as-fallback-for-the.patch +Patch0317: 0317-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec index d1234f5..52e8c9e 100644 --- a/SPECS/grub2.spec +++ b/SPECS/grub2.spec @@ -7,7 +7,7 @@ Name: grub2 Epoch: 1 Version: 2.02 -Release: 87%{?dist} +Release: 90%{?dist} Summary: Bootloader with support for Linux, Multiboot and more Group: System Environment/Base License: GPLv3+ @@ -24,10 +24,10 @@ Source6: gitignore Source8: strtoull_test.c Source9: 20-grub.install Source12: 99-grub-mkconfig.install -Source13: centos-ca-secureboot.der -Source14: centossecureboot001.crt -Source15: centossecurebootca2.der -Source16: centossecureboot202.crt +Source13: redhatsecurebootca3.cer +Source14: redhatsecureboot301.cer +Source15: redhatsecurebootca5.cer +Source16: redhatsecureboot502.cer %include %{SOURCE1} @@ -54,11 +54,7 @@ BuildRequires: pesign >= 0.99-8 BuildRequires: ccache %endif -%if 0%{?centos} -%global efidir centos -%endif - -ExcludeArch: s390 s390x +ExcludeArch: s390 s390x %{arm} Obsoletes: %{name} <= %{evr} %if 0%{with_legacy_arch} @@ -170,10 +166,10 @@ git commit -m "After making subdirs" %build %if 0%{with_efi_arch} -%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001 %{SOURCE15} %{SOURCE16} centossecureboot202} +%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502} %endif %if 0%{with_alt_efi_arch} -%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001 %{SOURCE15} %{SOURCE16} centossecureboot202} +%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502} %endif %if 0%{with_legacy_arch} %{expand:%do_legacy_build %%{grublegacyarch}} @@ -504,7 +500,31 @@ fi %endif %changelog -* Tue Jul 28 2020 Peter Jones - 2.02-87 +* Mon Aug 31 2020 Javier Martinez Canillas - 2.02-90 +- Roll over TFTP block counter to prevent timeouts with data packets + Resolves: rhbz#1871034 + +* Fri Aug 21 2020 Javier Martinez Canillas - 2.02-89 +- Fix TFTP timeouts when trying to fetch files larger than 65535 KiB + Resolves: rhbz#1871034 + +* Tue Aug 11 2020 Javier Martinez Canillas - 2.02-88 +- Fix a legacy BIOS boot issue when a using config file shared with EFI + Resolves: rhbz#1850193 + +* Mon Jul 27 2020 Peter Jones - 2.02-87 +- Couple more late fixes. + Resolves: CVE-2020-15705 + +* Sun Jul 26 2020 Peter Jones - 2.02-86 +- Couple more late fixes. + Resolves: CVE-2020-10713 + Resolves: CVE-2020-14308 + Resolves: CVE-2020-14309 + Resolves: CVE-2020-14310 + Resolves: CVE-2020-14311 + +* Mon Jul 20 2020 Peter Jones - 2.02-85 - Fix several CVEs Resolves: CVE-2020-10713 Resolves: CVE-2020-14308 @@ -512,9 +532,26 @@ fi Resolves: CVE-2020-14310 Resolves: CVE-2020-14311 -* Mon May 18 2020 Javier Martinez Canillas - 2.02-82.el8_2.1 +* Tue May 19 2020 Javier Martinez Canillas - 2.02-84 +- Add fixes for greenboot support + Resolves: rhbz#1832336 + +* Mon May 18 2020 Javier Martinez Canillas - 2.02-83 - Fix a segfault in grub2-editenv when attempting to shrink a variable - Resolves: rhbz#1836196 + Resolves: rhbz#1761496 + +* Mon Apr 27 2020 Javier Martinez Canillas - 2.02-82 +- Drop "Disable multiboot, multiboot2, and linux16 modules on EFI builds" + Resolves: rhbz#1779480 +- efi/http: Export {fw,http}_path variables to make them global + Resolves: rhbz#1811561 +- efi/http: Enclose literal IPv6 addresses in square brackets +- efi/net: Allow to specify a port number in addresses +- efi/ip4_config: Improve check to detect literal IPv6 addresses +- efi/net: Print a debug message if parsing the address fails + Resolves: rhbz#1811560 +- Set image base address before jumping to the PE/COFF entry point + Resolves: rhbz#1819624 * Thu Dec 05 2019 Javier Martinez Canillas - 2.02-81 - Another fix for blscfg variable expansion support