From c87ad59c7061fcc8e6c66ef97152de8d52671d1e Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Sep 04 2020 18:28:50 +0000
Subject: import grub2-2.02-90.el8


---

diff --git a/SOURCES/0317-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch b/SOURCES/0317-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch
new file mode 100644
index 0000000..60e58b0
--- /dev/null
+++ b/SOURCES/0317-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch
@@ -0,0 +1,51 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 24 Aug 2020 14:46:27 +0200
+Subject: [PATCH] tftp: roll over block counter to prevent timeouts with data
+ packets
+
+The block number is a 16-bit counter which only allows to fetch
+files no bigger than 65535 * blksize. To avoid this limit, the
+counter is rolled over. This behavior isn't defined in RFC 1350
+but is handled by many TFTP servers and it's what GRUB was doing
+before implicitly due an overflow.
+
+Fixing that bug led to TFTP timeouts, since GRUB wasn't acking
+data packets anymore for files with size bigger than the maximum
+mentioned above. Restore the old behavior to prevent this issue.
+
+Resolves: rhbz#1871034
+
+Suggested-by: Peter Jones <pjones@redhat.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ grub-core/net/tftp.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
+index 2c52f692b25..4f38d7ef1f7 100644
+--- a/grub-core/net/tftp.c
++++ b/grub-core/net/tftp.c
+@@ -183,8 +183,20 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)),
+ 	  return GRUB_ERR_NONE;
+ 	}
+ 
+-      /* Ack old/retransmitted block. */
+-      if (grub_be_to_cpu16 (tftph->u.data.block) < data->block + 1)
++      /*
++       * Ack old/retransmitted block.
++       *
++       * The block number is a 16-bit counter which only allows to fetch
++       * files no bigger than 65535 * blksize. To avoid this limit, the
++       * counter is rolled over. This behavior isn't defined in RFC 1350
++       * but is handled by many TFTP servers and it's what GRUB was doing
++       * before implicitly due an overflow.
++       *
++       * Fixing that bug led to TFTP timeouts, since GRUB wasn't acking
++       * data packets anymore for files with size bigger than the maximum
++       * mentioned above. Restore the old behavior to prevent this issue.
++       */
++      if (grub_be_to_cpu16 (tftph->u.data.block) < ((data->block + 1) & 0xffffu))
+ 	ack (data, grub_be_to_cpu16 (tftph->u.data.block));
+       /* Ignore unexpected block. */
+       else if (grub_be_to_cpu16 (tftph->u.data.block) > data->block + 1)
diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der
deleted file mode 100644
index 44a2563..0000000
Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ
diff --git a/SOURCES/centossecureboot001.der b/SOURCES/centossecureboot001.der
deleted file mode 100644
index e8216b1..0000000
Binary files a/SOURCES/centossecureboot001.der and /dev/null differ
diff --git a/SOURCES/centossecureboot202.der b/SOURCES/centossecureboot202.der
deleted file mode 100644
index ab8213c..0000000
Binary files a/SOURCES/centossecureboot202.der and /dev/null differ
diff --git a/SOURCES/centossecurebootca2.der b/SOURCES/centossecurebootca2.der
deleted file mode 100644
index 42bdfcf..0000000
Binary files a/SOURCES/centossecurebootca2.der and /dev/null differ
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index bc1c8c7..70e5e54 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -314,3 +314,4 @@ Patch0313: 0313-linuxefi-fail-kernel-validation-without-shim-protoco.patch
 Patch0314: 0314-linux-Fix-integer-overflows-in-initrd-size-handling.patch
 Patch0315: 0315-blscfg-Always-look-for-BLS-snippets-in-the-root-devi.patch
 Patch0316: 0316-blscfg-Don-t-hardcode-an-env-var-as-fallback-for-the.patch
+Patch0317: 0317-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch
diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
index 6066f51..52e8c9e 100644
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -7,7 +7,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.02
-Release:	88%{?dist}
+Release:	90%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 Group:		System Environment/Base
 License:	GPLv3+
@@ -24,10 +24,10 @@ Source6:	gitignore
 Source8:	strtoull_test.c
 Source9:	20-grub.install
 Source12:	99-grub-mkconfig.install
-Source13:	centos-ca-secureboot.der
-Source14:	centossecureboot001.der
-Source15:	centossecurebootca2.der
-Source16:	centossecureboot202.der
+Source13:	redhatsecurebootca3.cer
+Source14:	redhatsecureboot301.cer
+Source15:	redhatsecurebootca5.cer
+Source16:	redhatsecureboot502.cer
 
 %include %{SOURCE1}
 
@@ -54,11 +54,7 @@ BuildRequires:	pesign >= 0.99-8
 BuildRequires:	ccache
 %endif
 
-%if 0%{?centos}
-%global efidir centos
-%endif
-
-ExcludeArch:	s390 s390x
+ExcludeArch:	s390 s390x %{arm}
 Obsoletes:	%{name} <= %{evr}
 
 %if 0%{with_legacy_arch}
@@ -170,10 +166,10 @@ git commit -m "After making subdirs"
 
 %build
 %if 0%{with_efi_arch}
-%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001 %{SOURCE15} %{SOURCE16} centossecureboot202}
+%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502}
 %endif
 %if 0%{with_alt_efi_arch}
-%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001 %{SOURCE15} %{SOURCE16} centossecureboot202}
+%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502}
 %endif
 %if 0%{with_legacy_arch}
 %{expand:%do_legacy_build %%{grublegacyarch}}
@@ -504,6 +500,14 @@ fi
 %endif
 
 %changelog
+* Mon Aug 31 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-90
+- Roll over TFTP block counter to prevent timeouts with data packets
+  Resolves: rhbz#1871034
+
+* Fri Aug 21 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-89
+- Fix TFTP timeouts when trying to fetch files larger than 65535 KiB
+  Resolves: rhbz#1871034
+
 * Tue Aug 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-88
 - Fix a legacy BIOS boot issue when a using config file shared with EFI
   Resolves: rhbz#1850193