diff --git a/SOURCES/0266-grub-set-bootflag-Update-comment-about-running-as-ro.patch b/SOURCES/0266-grub-set-bootflag-Update-comment-about-running-as-ro.patch
new file mode 100644
index 0000000..e1fb2b5
--- /dev/null
+++ b/SOURCES/0266-grub-set-bootflag-Update-comment-about-running-as-ro.patch
@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 13 Nov 2019 12:15:43 +0100
+Subject: [PATCH] grub-set-bootflag: Update comment about running as root
+ through pkexec
+
+We have stopped using pkexec for grub-set-bootflag, instead it is now
+installed suid root, update the comment accordingly.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+---
+ util/grub-set-bootflag.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c
+index f8dc310909a..32f1c104a2b 100644
+--- a/util/grub-set-bootflag.c
++++ b/util/grub-set-bootflag.c
+@@ -18,7 +18,7 @@
+ */
+
+ /*
+- * NOTE this gets run by users as root (through pkexec), so this does not
++ * NOTE this gets run by users as root (its suid root), so this does not
+ * use any grub library / util functions to allow for easy auditing.
+ * The grub headers are only included to get certain defines.
+ */
diff --git a/SOURCES/0266-unix-platform-Initialize-variable-to-fix-grub-instal.patch b/SOURCES/0266-unix-platform-Initialize-variable-to-fix-grub-instal.patch
deleted file mode 100644
index 8044070..0000000
--- a/SOURCES/0266-unix-platform-Initialize-variable-to-fix-grub-instal.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paul Menzel <pmenzel@molgen.mpg.de>
-Date: Tue, 23 Oct 2018 15:00:13 +0200
-Subject: [PATCH] unix/platform: Initialize variable to fix grub-install on
- UEFI system
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-On a UEFI system, were no boot entry *grub* is present, currently,
-`grub-install` fails with an error.
-
- $ efibootmgr
- BootCurrent: 0000
- Timeout: 0 seconds
- BootOrder: 0001,0006,0003,0004,0005
- Boot0001 Diskette Drive
- Boot0003* USB Storage Device
- Boot0004* CD/DVD/CD-RW Drive
- Boot0005 Onboard NIC
- Boot0006* WDC WD2500AAKX-75U6AA0
- $ sudo grub-install /dev/sda
- Installing for x86_64-efi platform.
- grub-install: error: efibootmgr failed to register the boot entry: Unknown error 22020.
-
-The error code is always different, and the error message (incorrectly)
-points to efibootmgr.
-
-But, the error is in GRUB’s function
-`grub_install_remove_efi_entries_by_distributor()`, where the variable
-`rc` for the return value, is uninitialized and never set, when no boot
-entry for the distributor is found.
-
-The content of that uninitialized variable is then returned as the error
-code of efibootmgr.
-
-Set the variable to 0, so that success is returned, when no entry needs
-to be deleted.
-
-Tested on Dell OptiPlex 7010 with firmware A28.
-
- $ sudo ./grub-install /dev/sda
- Installing for x86_64-efi platform.
- Installation finished. No error reported.
-
-[1]: https://github.com/rhboot/efibootmgr/issues/100
-
-Signed-off-by: Paul Menzel <pmenzel@molgen.mpg.de>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/osdep/unix/platform.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/grub-core/osdep/unix/platform.c b/grub-core/osdep/unix/platform.c
-index ca448bc11a0..55b8f401624 100644
---- a/grub-core/osdep/unix/platform.c
-+++ b/grub-core/osdep/unix/platform.c
-@@ -85,7 +85,7 @@ grub_install_remove_efi_entries_by_distributor (const char *efi_distributor)
- pid_t pid = grub_util_exec_pipe ((const char * []){ "efibootmgr", NULL }, &fd);
- char *line = NULL;
- size_t len = 0;
-- int rc;
-+ int rc = 0;
-
- if (!pid)
- {
diff --git a/SOURCES/0267-grub-set-bootflag-Update-comment-about-running-as-ro.patch b/SOURCES/0267-grub-set-bootflag-Update-comment-about-running-as-ro.patch
deleted file mode 100644
index e1fb2b5..0000000
--- a/SOURCES/0267-grub-set-bootflag-Update-comment-about-running-as-ro.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Hans de Goede <hdegoede@redhat.com>
-Date: Wed, 13 Nov 2019 12:15:43 +0100
-Subject: [PATCH] grub-set-bootflag: Update comment about running as root
- through pkexec
-
-We have stopped using pkexec for grub-set-bootflag, instead it is now
-installed suid root, update the comment accordingly.
-
-Signed-off-by: Hans de Goede <hdegoede@redhat.com>
----
- util/grub-set-bootflag.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c
-index f8dc310909a..32f1c104a2b 100644
---- a/util/grub-set-bootflag.c
-+++ b/util/grub-set-bootflag.c
-@@ -18,7 +18,7 @@
- */
-
- /*
-- * NOTE this gets run by users as root (through pkexec), so this does not
-+ * NOTE this gets run by users as root (its suid root), so this does not
- * use any grub library / util functions to allow for easy auditing.
- * The grub headers are only included to get certain defines.
- */
diff --git a/SOURCES/0267-grub-set-bootflag-Write-new-env-to-tmpfile-and-then-.patch b/SOURCES/0267-grub-set-bootflag-Write-new-env-to-tmpfile-and-then-.patch
new file mode 100644
index 0000000..32e07d5
--- /dev/null
+++ b/SOURCES/0267-grub-set-bootflag-Write-new-env-to-tmpfile-and-then-.patch
@@ -0,0 +1,152 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 22 Nov 2019 11:54:27 +0100
+Subject: [PATCH] grub-set-bootflag: Write new env to tmpfile and then rename
+
+Make the grubenv writing code in grub-set-bootflag more robust by
+writing the modified grubenv to a tmpfile first and then renaming the
+tmpfile over the old grubenv (following symlinks).
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+---
+ util/grub-set-bootflag.c | 87 +++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 78 insertions(+), 9 deletions(-)
+
+diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c
+index 32f1c104a2b..d3b80a0d204 100644
+--- a/util/grub-set-bootflag.c
++++ b/util/grub-set-bootflag.c
+@@ -26,7 +26,9 @@
+ #include <config-util.h> /* For *_DIR_NAME defines */
+ #include <grub/types.h>
+ #include <grub/lib/envblk.h> /* For GRUB_ENVBLK_DEFCFG define */
++#include <limits.h>
+ #include <stdio.h>
++#include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
+
+@@ -52,8 +54,10 @@ int main(int argc, char *argv[])
+ {
+ /* NOTE buf must be at least the longest bootflag length + 4 bytes */
+ char env[GRUBENV_SIZE + 1], buf[64], *s;
++ /* +1 for 0 termination, +6 for "XXXXXX" in tmp filename */
++ char env_filename[PATH_MAX + 1], tmp_filename[PATH_MAX + 6 + 1];
+ const char *bootflag;
+- int i, len, ret;
++ int i, fd, len, ret;
+ FILE *f;
+
+ if (argc != 2)
+@@ -75,7 +79,32 @@ int main(int argc, char *argv[])
+ bootflag = bootflags[i];
+ len = strlen (bootflag);
+
+- f = fopen (GRUBENV, "r");
++ /*
++ * Really become root. setuid avoids an user killing us, possibly leaking
++ * the tmpfile. setgid avoids the new grubenv's gid being that of the user.
++ */
++ ret = setuid(0);
++ if (ret)
++ {
++ perror ("Error setuid(0) failed");
++ return 1;
++ }
++
++ ret = setgid(0);
++ if (ret)
++ {
++ perror ("Error setgid(0) failed");
++ return 1;
++ }
++
++ /* Canonicalize GRUBENV filename, resolving symlinks, etc. */
++ if (!realpath(GRUBENV, env_filename))
++ {
++ perror ("Error canonicalizing " GRUBENV " filename");
++ return 1;
++ }
++
++ f = fopen (env_filename, "r");
+ if (!f)
+ {
+ perror ("Error opening " GRUBENV " for reading");
+@@ -129,30 +158,70 @@ int main(int argc, char *argv[])
+ snprintf(buf, sizeof(buf), "%s=1\n", bootflag);
+ memcpy(s, buf, len + 3);
+
+- /* "r+", don't truncate so that the diskspace stays reserved */
+- f = fopen (GRUBENV, "r+");
++
++ /*
++ * Create a tempfile for writing the new env. Use the canonicalized filename
++ * for the template so that the tmpfile is in the same dir / on same fs.
++ */
++ snprintf(tmp_filename, sizeof(tmp_filename), "%sXXXXXX", env_filename);
++ fd = mkstemp(tmp_filename);
++ if (fd == -1)
++ {
++ perror ("Creating tmpfile failed");
++ return 1;
++ }
++
++ f = fdopen (fd, "w");
+ if (!f)
+ {
+- perror ("Error opening " GRUBENV " for writing");
++ perror ("Error fdopen of tmpfile failed");
++ unlink(tmp_filename);
+ return 1;
+ }
+
+ ret = fwrite (env, 1, GRUBENV_SIZE, f);
+ if (ret != GRUBENV_SIZE)
+ {
+- perror ("Error writing to " GRUBENV);
++ perror ("Error writing tmpfile");
++ unlink(tmp_filename);
+ return 1;
+ }
+
+ ret = fflush (f);
+ if (ret)
+ {
+- perror ("Error flushing " GRUBENV);
++ perror ("Error flushing tmpfile");
++ unlink(tmp_filename);
+ return 1;
+ }
+
+- fsync (fileno (f));
+- fclose (f);
++ ret = fsync (fileno (f));
++ if (ret)
++ {
++ perror ("Error syncing tmpfile");
++ unlink(tmp_filename);
++ return 1;
++ }
++
++ ret = fclose (f);
++ if (ret)
++ {
++ perror ("Error closing tmpfile");
++ unlink(tmp_filename);
++ return 1;
++ }
++
++ /*
++ * And finally rename the tmpfile with the new env over the old env, the
++ * linux kernel guarantees that this is atomic (from a syscall pov).
++ */
++ ret = rename(tmp_filename, env_filename);
++ if (ret)
++ {
++ perror ("Error renaming tmpfile to " GRUBENV " failed");
++ unlink(tmp_filename);
++ return 1;
++ }
+
+ return 0;
+ }
diff --git a/SOURCES/0268-Fix-PRIxGRUB_EFI_STATUS-definition.patch b/SOURCES/0268-Fix-PRIxGRUB_EFI_STATUS-definition.patch
new file mode 100644
index 0000000..fd71d99
--- /dev/null
+++ b/SOURCES/0268-Fix-PRIxGRUB_EFI_STATUS-definition.patch
@@ -0,0 +1,48 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Thu, 28 Nov 2019 13:23:59 +0100
+Subject: [PATCH] Fix PRIxGRUB_EFI_STATUS definition
+
+The type specifiers were wrongly defined when GRUB_CPU_SIZEOF_VOID_P != 8
+since in that case the grub_efi_status_t is a grub_int32_t typedef. This
+leads to the following covscan warnings:
+
+grub-2.02/include/grub/dl.h:29: included_from: Included from here.
+grub-2.02/include/grub/efi/efi.h:24: included_from: Included from here.
+grub-2.02/grub-core/kern/efi/tpm.c:4: included_from: Included from here.
+grub-2.02/grub-core/kern/efi/tpm.c: scope_hint: In function 'grub_tpm_dprintf'
+grub-2.02/grub-core/kern/efi/tpm.c:170:26: warning: format '%llx' expects argument of type 'long long unsigned int', but argument 5 has type 'grub_efi_status_t' {aka 'int'} [-Wformat=]
+grub-2.02/include/grub/misc.h:38:88: note: in definition of macro 'grub_dprintf'
+
+Related: rhbz#1761811
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ include/grub/efi/api.h | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
+index b337e1a193d..6c440c61316 100644
+--- a/include/grub/efi/api.h
++++ b/include/grub/efi/api.h
+@@ -539,11 +539,16 @@ typedef grub_uint16_t grub_efi_char16_t;
+ typedef grub_efi_intn_t grub_efi_status_t;
+ /* Make grub_efi_status_t reasonably printable. */
+ #if GRUB_CPU_SIZEOF_VOID_P == 8
+-#define PRIxGRUB_EFI_STATUS "lx"
+-#define PRIdGRUB_EFI_STATUS "ld"
++# if GRUB_CPU_SIZEOF_LONG == 8
++# define PRIxGRUB_EFI_STATUS "lx"
++# define PRIdGRUB_EFI_STATUS "ld"
++# else
++# define PRIxGRUB_EFI_STATUS "llx"
++# define PRIdGRUB_EFI_STATUS "lld"
++# endif
+ #else
+-#define PRIxGRUB_EFI_STATUS "llx"
+-#define PRIdGRUB_EFI_STATUS "lld"
++# define PRIxGRUB_EFI_STATUS "x"
++# define PRIdGRUB_EFI_STATUS "d"
+ #endif
+
+ #define GRUB_EFI_ERROR_CODE(value) \
diff --git a/SOURCES/0268-grub-set-bootflag-Write-new-env-to-tmpfile-and-then-.patch b/SOURCES/0268-grub-set-bootflag-Write-new-env-to-tmpfile-and-then-.patch
deleted file mode 100644
index 32e07d5..0000000
--- a/SOURCES/0268-grub-set-bootflag-Write-new-env-to-tmpfile-and-then-.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Hans de Goede <hdegoede@redhat.com>
-Date: Fri, 22 Nov 2019 11:54:27 +0100
-Subject: [PATCH] grub-set-bootflag: Write new env to tmpfile and then rename
-
-Make the grubenv writing code in grub-set-bootflag more robust by
-writing the modified grubenv to a tmpfile first and then renaming the
-tmpfile over the old grubenv (following symlinks).
-
-Signed-off-by: Hans de Goede <hdegoede@redhat.com>
----
- util/grub-set-bootflag.c | 87 +++++++++++++++++++++++++++++++++++++++++++-----
- 1 file changed, 78 insertions(+), 9 deletions(-)
-
-diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c
-index 32f1c104a2b..d3b80a0d204 100644
---- a/util/grub-set-bootflag.c
-+++ b/util/grub-set-bootflag.c
-@@ -26,7 +26,9 @@
- #include <config-util.h> /* For *_DIR_NAME defines */
- #include <grub/types.h>
- #include <grub/lib/envblk.h> /* For GRUB_ENVBLK_DEFCFG define */
-+#include <limits.h>
- #include <stdio.h>
-+#include <stdlib.h>
- #include <string.h>
- #include <unistd.h>
-
-@@ -52,8 +54,10 @@ int main(int argc, char *argv[])
- {
- /* NOTE buf must be at least the longest bootflag length + 4 bytes */
- char env[GRUBENV_SIZE + 1], buf[64], *s;
-+ /* +1 for 0 termination, +6 for "XXXXXX" in tmp filename */
-+ char env_filename[PATH_MAX + 1], tmp_filename[PATH_MAX + 6 + 1];
- const char *bootflag;
-- int i, len, ret;
-+ int i, fd, len, ret;
- FILE *f;
-
- if (argc != 2)
-@@ -75,7 +79,32 @@ int main(int argc, char *argv[])
- bootflag = bootflags[i];
- len = strlen (bootflag);
-
-- f = fopen (GRUBENV, "r");
-+ /*
-+ * Really become root. setuid avoids an user killing us, possibly leaking
-+ * the tmpfile. setgid avoids the new grubenv's gid being that of the user.
-+ */
-+ ret = setuid(0);
-+ if (ret)
-+ {
-+ perror ("Error setuid(0) failed");
-+ return 1;
-+ }
-+
-+ ret = setgid(0);
-+ if (ret)
-+ {
-+ perror ("Error setgid(0) failed");
-+ return 1;
-+ }
-+
-+ /* Canonicalize GRUBENV filename, resolving symlinks, etc. */
-+ if (!realpath(GRUBENV, env_filename))
-+ {
-+ perror ("Error canonicalizing " GRUBENV " filename");
-+ return 1;
-+ }
-+
-+ f = fopen (env_filename, "r");
- if (!f)
- {
- perror ("Error opening " GRUBENV " for reading");
-@@ -129,30 +158,70 @@ int main(int argc, char *argv[])
- snprintf(buf, sizeof(buf), "%s=1\n", bootflag);
- memcpy(s, buf, len + 3);
-
-- /* "r+", don't truncate so that the diskspace stays reserved */
-- f = fopen (GRUBENV, "r+");
-+
-+ /*
-+ * Create a tempfile for writing the new env. Use the canonicalized filename
-+ * for the template so that the tmpfile is in the same dir / on same fs.
-+ */
-+ snprintf(tmp_filename, sizeof(tmp_filename), "%sXXXXXX", env_filename);
-+ fd = mkstemp(tmp_filename);
-+ if (fd == -1)
-+ {
-+ perror ("Creating tmpfile failed");
-+ return 1;
-+ }
-+
-+ f = fdopen (fd, "w");
- if (!f)
- {
-- perror ("Error opening " GRUBENV " for writing");
-+ perror ("Error fdopen of tmpfile failed");
-+ unlink(tmp_filename);
- return 1;
- }
-
- ret = fwrite (env, 1, GRUBENV_SIZE, f);
- if (ret != GRUBENV_SIZE)
- {
-- perror ("Error writing to " GRUBENV);
-+ perror ("Error writing tmpfile");
-+ unlink(tmp_filename);
- return 1;
- }
-
- ret = fflush (f);
- if (ret)
- {
-- perror ("Error flushing " GRUBENV);
-+ perror ("Error flushing tmpfile");
-+ unlink(tmp_filename);
- return 1;
- }
-
-- fsync (fileno (f));
-- fclose (f);
-+ ret = fsync (fileno (f));
-+ if (ret)
-+ {
-+ perror ("Error syncing tmpfile");
-+ unlink(tmp_filename);
-+ return 1;
-+ }
-+
-+ ret = fclose (f);
-+ if (ret)
-+ {
-+ perror ("Error closing tmpfile");
-+ unlink(tmp_filename);
-+ return 1;
-+ }
-+
-+ /*
-+ * And finally rename the tmpfile with the new env over the old env, the
-+ * linux kernel guarantees that this is atomic (from a syscall pov).
-+ */
-+ ret = rename(tmp_filename, env_filename);
-+ if (ret)
-+ {
-+ perror ("Error renaming tmpfile to " GRUBENV " failed");
-+ unlink(tmp_filename);
-+ return 1;
-+ }
-
- return 0;
- }
diff --git a/SOURCES/0269-TPM-Print-messages-if-measuraments-fail-as-debug-ins.patch b/SOURCES/0269-TPM-Print-messages-if-measuraments-fail-as-debug-ins.patch
new file mode 100644
index 0000000..45dd94b
--- /dev/null
+++ b/SOURCES/0269-TPM-Print-messages-if-measuraments-fail-as-debug-ins.patch
@@ -0,0 +1,100 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 16 Oct 2019 15:32:04 +0200
+Subject: [PATCH] TPM: Print messages if measuraments fail as debug instead of
+ error
+
+If the calls to EFI services to do TPM measuraments fail, currently error
+messages are printed. But this is not a fatal error and just pollutes the
+output, so instead just print them as debug messages.
+
+Resolves: rhbz#1761811
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ grub-core/kern/efi/tpm.c | 58 +++++++++++++++++++++++++-----------------------
+ 1 file changed, 30 insertions(+), 28 deletions(-)
+
+diff --git a/grub-core/kern/efi/tpm.c b/grub-core/kern/efi/tpm.c
+index 0d3ebe22e57..5dc90865242 100644
+--- a/grub-core/kern/efi/tpm.c
++++ b/grub-core/kern/efi/tpm.c
+@@ -161,6 +161,34 @@ grub_tpm_execute(PassThroughToTPM_InputParamBlock *inbuf,
+ }
+ }
+
++static inline grub_err_t grub_tpm_dprintf(grub_efi_status_t status)
++{
++ switch (status) {
++ case GRUB_EFI_SUCCESS:
++ return 0;
++ case GRUB_EFI_DEVICE_ERROR:
++ grub_dprintf ("tpm", "Command failed: 0x%"PRIxGRUB_EFI_STATUS"\n",
++ status);
++ return GRUB_ERR_IO;
++ case GRUB_EFI_INVALID_PARAMETER:
++ grub_dprintf ("tpm", "Invalid parameter: 0x%"PRIxGRUB_EFI_STATUS"\n",
++ status);
++ return GRUB_ERR_BAD_ARGUMENT;
++ case GRUB_EFI_BUFFER_TOO_SMALL:
++ grub_dprintf ("tpm", "Output buffer too small: 0x%"PRIxGRUB_EFI_STATUS"\n",
++ status);
++ return GRUB_ERR_BAD_ARGUMENT;
++ case GRUB_EFI_NOT_FOUND:
++ grub_dprintf ("tpm", "TPM unavailable: 0x%"PRIxGRUB_EFI_STATUS"\n",
++ status);
++ return GRUB_ERR_UNKNOWN_DEVICE;
++ default:
++ grub_dprintf ("tpm", "Unknown TPM error: 0x%"PRIxGRUB_EFI_STATUS"\n",
++ status);
++ return GRUB_ERR_UNKNOWN_DEVICE;
++ }
++}
++
+ static grub_err_t
+ grub_tpm1_log_event(grub_efi_handle_t tpm_handle, unsigned char *buf,
+ grub_size_t size, grub_uint8_t pcr,
+@@ -194,20 +222,7 @@ grub_tpm1_log_event(grub_efi_handle_t tpm_handle, unsigned char *buf,
+ (unsigned long) buf, (grub_uint64_t) size,
+ algorithm, event, &eventnum, &lastevent);
+
+- switch (status) {
+- case GRUB_EFI_SUCCESS:
+- return 0;
+- case GRUB_EFI_DEVICE_ERROR:
+- return grub_error (GRUB_ERR_IO, N_("Command failed"));
+- case GRUB_EFI_INVALID_PARAMETER:
+- return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Invalid parameter"));
+- case GRUB_EFI_BUFFER_TOO_SMALL:
+- return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Output buffer too small"));
+- case GRUB_EFI_NOT_FOUND:
+- return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("TPM unavailable"));
+- default:
+- return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("Unknown TPM error"));
+- }
++ return grub_tpm_dprintf(status);
+ }
+
+ static grub_err_t
+@@ -240,20 +255,7 @@ grub_tpm2_log_event(grub_efi_handle_t tpm_handle, unsigned char *buf,
+ status = efi_call_5 (tpm->hash_log_extend_event, tpm, 0, (unsigned long) buf,
+ (grub_uint64_t) size, event);
+
+- switch (status) {
+- case GRUB_EFI_SUCCESS:
+- return 0;
+- case GRUB_EFI_DEVICE_ERROR:
+- return grub_error (GRUB_ERR_IO, N_("Command failed"));
+- case GRUB_EFI_INVALID_PARAMETER:
+- return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Invalid parameter"));
+- case GRUB_EFI_BUFFER_TOO_SMALL:
+- return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Output buffer too small"));
+- case GRUB_EFI_NOT_FOUND:
+- return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("TPM unavailable"));
+- default:
+- return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("Unknown TPM error"));
+- }
++ return grub_tpm_dprintf(status);
+ }
+
+ grub_err_t
diff --git a/SOURCES/0270-unix-platform-Initialize-variable-to-fix-grub-instal.patch b/SOURCES/0270-unix-platform-Initialize-variable-to-fix-grub-instal.patch
new file mode 100644
index 0000000..8044070
--- /dev/null
+++ b/SOURCES/0270-unix-platform-Initialize-variable-to-fix-grub-instal.patch
@@ -0,0 +1,66 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Paul Menzel <pmenzel@molgen.mpg.de>
+Date: Tue, 23 Oct 2018 15:00:13 +0200
+Subject: [PATCH] unix/platform: Initialize variable to fix grub-install on
+ UEFI system
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+On a UEFI system, were no boot entry *grub* is present, currently,
+`grub-install` fails with an error.
+
+ $ efibootmgr
+ BootCurrent: 0000
+ Timeout: 0 seconds
+ BootOrder: 0001,0006,0003,0004,0005
+ Boot0001 Diskette Drive
+ Boot0003* USB Storage Device
+ Boot0004* CD/DVD/CD-RW Drive
+ Boot0005 Onboard NIC
+ Boot0006* WDC WD2500AAKX-75U6AA0
+ $ sudo grub-install /dev/sda
+ Installing for x86_64-efi platform.
+ grub-install: error: efibootmgr failed to register the boot entry: Unknown error 22020.
+
+The error code is always different, and the error message (incorrectly)
+points to efibootmgr.
+
+But, the error is in GRUB’s function
+`grub_install_remove_efi_entries_by_distributor()`, where the variable
+`rc` for the return value, is uninitialized and never set, when no boot
+entry for the distributor is found.
+
+The content of that uninitialized variable is then returned as the error
+code of efibootmgr.
+
+Set the variable to 0, so that success is returned, when no entry needs
+to be deleted.
+
+Tested on Dell OptiPlex 7010 with firmware A28.
+
+ $ sudo ./grub-install /dev/sda
+ Installing for x86_64-efi platform.
+ Installation finished. No error reported.
+
+[1]: https://github.com/rhboot/efibootmgr/issues/100
+
+Signed-off-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/osdep/unix/platform.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/osdep/unix/platform.c b/grub-core/osdep/unix/platform.c
+index ca448bc11a0..55b8f401624 100644
+--- a/grub-core/osdep/unix/platform.c
++++ b/grub-core/osdep/unix/platform.c
+@@ -85,7 +85,7 @@ grub_install_remove_efi_entries_by_distributor (const char *efi_distributor)
+ pid_t pid = grub_util_exec_pipe ((const char * []){ "efibootmgr", NULL }, &fd);
+ char *line = NULL;
+ size_t len = 0;
+- int rc;
++ int rc = 0;
+
+ if (!pid)
+ {
diff --git a/SOURCES/0271-blscfg-add-a-space-char-when-appending-fields-for-va.patch b/SOURCES/0271-blscfg-add-a-space-char-when-appending-fields-for-va.patch
new file mode 100644
index 0000000..80225c2
--- /dev/null
+++ b/SOURCES/0271-blscfg-add-a-space-char-when-appending-fields-for-va.patch
@@ -0,0 +1,76 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue, 26 Nov 2019 09:51:41 +0100
+Subject: [PATCH] blscfg: add a space char when appending fields for variable
+ expansion
+
+The GRUB variables are expanded and replaced by their values before adding
+menu entries, but they didn't include space characters after the values so
+the result was not correct.
+
+For the common case this wasn't a problem but it is if there are variables
+that are part of the values of other variables.
+
+Resolves: rhbz#1669252
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ grub-core/commands/blscfg.c | 31 ++++++++++++++++++-------------
+ 1 file changed, 18 insertions(+), 13 deletions(-)
+
+diff --git a/grub-core/commands/blscfg.c b/grub-core/commands/blscfg.c
+index 11cc82b6f31..c92e1c84543 100644
+--- a/grub-core/commands/blscfg.c
++++ b/grub-core/commands/blscfg.c
+@@ -597,26 +597,29 @@ static char **bls_make_list (struct bls_entry *entry, const char *key, int *num)
+
+ static char *field_append(bool is_var, char *buffer, char *start, char *end)
+ {
+- char *temp = grub_strndup(start, end - start + 1);
+- const char *field = temp;
++ char *tmp = grub_strndup(start, end - start + 1);
++ const char *field = tmp;
++ int term = is_var ? 2 : 1;
+
+ if (is_var) {
+- field = grub_env_get (temp);
++ field = grub_env_get (tmp);
+ if (!field)
+ return buffer;
+ }
+
+- if (!buffer) {
+- buffer = grub_strdup(field);
+- if (!buffer)
+- return NULL;
+- } else {
+- buffer = grub_realloc (buffer, grub_strlen(buffer) + grub_strlen(field));
+- if (!buffer)
+- return NULL;
++ if (!buffer)
++ buffer = grub_zalloc (grub_strlen(field) + term);
++ else
++ buffer = grub_realloc (buffer, grub_strlen(buffer) + grub_strlen(field) + term);
+
+- grub_stpcpy (buffer + grub_strlen(buffer), field);
+- }
++ if (!buffer)
++ return NULL;
++
++ tmp = buffer + grub_strlen(buffer);
++ tmp = grub_stpcpy (tmp, field);
++
++ if (is_var)
++ tmp = grub_stpcpy (tmp, " ");
+
+ return buffer;
+ }
+@@ -646,6 +649,8 @@ static char *expand_val(char *value)
+ buffer = field_append(is_var, buffer, start, end);
+ is_var = false;
+ start = value;
++ if (*start == ' ')
++ start++;
+ }
+ }
+
diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der
deleted file mode 100644
index 44a2563..0000000
Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ
diff --git a/SOURCES/centossecureboot001.crt b/SOURCES/centossecureboot001.crt
deleted file mode 100644
index 321c4ec..0000000
--- a/SOURCES/centossecureboot001.crt
+++ /dev/null
@@ -1,81 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number:
- b6:16:15:71:72:fb:31:7e
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=CentOS Secure Boot (CA key 1)/emailAddress=security@centos.org
- Validity
- Not Before: Aug 1 11:47:30 2018 GMT
- Not After : Dec 31 11:47:30 2037 GMT
- Subject: CN=CentOS Secure Boot (key 1)/emailAddress=security@centos.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (2048 bit)
- Modulus (2048 bit):
- 00:c1:a3:6a:f4:2d:71:83:6c:21:ca:0c:b7:ac:fa:
- 76:80:43:03:40:87:5d:de:e9:1e:df:ad:e7:2b:51:
- cb:f8:31:0f:9a:db:ab:23:25:04:11:05:57:7d:f2:
- 4b:8d:1e:b3:75:78:1d:b9:57:8b:18:0b:bb:7e:e3:
- 24:0f:6a:40:5f:2b:4f:03:a5:85:94:d2:f9:08:a0:
- bc:db:a5:ea:4f:7f:e8:7c:d1:a9:f8:f0:9c:25:18:
- 00:14:c4:c4:35:7d:1d:4c:8a:8d:95:f8:ed:65:97:
- a5:a4:da:7d:cb:f0:33:3b:b7:03:94:68:47:05:57:
- 6c:96:91:ac:14:f2:e3:f6:6d:4a:18:cf:68:8a:35:
- 6f:8e:26:99:7f:db:c9:83:54:c2:c3:bf:ad:45:a0:
- aa:a0:86:5f:20:b1:86:1b:ae:b7:28:15:11:f9:65:
- 53:5d:70:33:9b:a3:c7:b5:c8:11:ff:55:3b:e7:46:
- f1:6c:6b:8c:bb:f2:9f:36:23:b1:2d:23:2f:8f:4f:
- 6c:a8:cc:ae:f5:56:9e:22:6c:0e:9a:4a:b1:bd:b2:
- 76:15:5c:05:85:b8:5e:dc:8c:a5:c3:e0:75:51:a4:
- 94:9b:03:2e:7b:f8:d3:b9:dd:7f:88:ce:2e:2f:28:
- 4c:b4:92:2f:e6:e0:67:0a:d0:ff:c5:d2:79:a6:ef:
- 94:0f
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:FALSE
- X509v3 Key Usage:
- Digital Signature
- X509v3 Subject Key Identifier:
- F0:37:C6:EA:EC:36:D4:05:7A:52:6C:0E:C6:D5:A9:5B:32:4E:E1:29
- X509v3 Authority Key Identifier:
- keyid:54:EC:81:85:89:3E:E9:1A:DB:08:F7:44:88:54:7E:8E:3F:74:3A:F3
-
- Signature Algorithm: sha256WithRSAEncryption
- 97:97:ba:a6:0b:5b:bb:84:39:2e:ef:8b:51:9a:89:bb:65:3c:
- dc:15:d0:5a:88:c5:af:ce:93:f5:c1:74:98:15:59:a9:38:da:
- 11:fd:46:d5:4f:23:7c:03:1f:ae:0c:70:93:94:a7:61:2f:4b:
- 2f:5f:bb:cc:8a:d7:4a:24:66:73:85:b4:19:13:fc:6a:61:4a:
- 28:1f:a2:38:f4:72:90:03:c4:3e:64:63:8b:fb:15:22:22:4e:
- b9:43:d9:b4:3d:3a:60:c1:4d:3a:09:85:68:7a:bc:3b:f9:ef:
- f3:f5:e9:c9:4f:80:8c:c6:e9:cb:ef:28:44:b0:5d:d4:9e:4f:
- 0f:02:9a:65:aa:98:35:b4:6f:d2:80:e3:08:ef:12:d0:17:56:
- a6:a1:42:1e:1d:ab:e5:33:c0:fd:88:0d:40:42:81:c8:27:30:
- 17:07:57:3e:05:9d:aa:05:0e:5b:3a:79:b4:29:aa:7c:42:5a:
- ad:43:59:fb:34:4d:dc:62:58:63:e4:fb:de:bb:fd:6c:4e:97:
- 58:f4:b9:99:4a:71:fe:7f:16:50:55:25:46:39:96:9b:88:6c:
- 75:19:33:9e:70:b3:04:82:fe:16:a8:8e:22:47:83:6d:16:77:
- da:26:ad:31:d8:06:6d:c5:7e:46:4b:21:ab:ae:ec:2a:93:71:
- da:7f:89:1d
------BEGIN CERTIFICATE-----
-MIIDdTCCAl2gAwIBAgIJALYWFXFy+zF+MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV
-BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB
-FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE4MDgwMTExNDczMFoXDTM3MTIzMTEx
-NDczMFowSTEjMCEGA1UEAxMaQ2VudE9TIFNlY3VyZSBCb290IChrZXkgMSkxIjAg
-BgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDBo2r0LXGDbCHKDLes+naAQwNAh13e6R7frecrUcv4
-MQ+a26sjJQQRBVd98kuNHrN1eB25V4sYC7t+4yQPakBfK08DpYWU0vkIoLzbpepP
-f+h80an48JwlGAAUxMQ1fR1Mio2V+O1ll6Wk2n3L8DM7twOUaEcFV2yWkawU8uP2
-bUoYz2iKNW+OJpl/28mDVMLDv61FoKqghl8gsYYbrrcoFRH5ZVNdcDObo8e1yBH/
-VTvnRvFsa4y78p82I7EtIy+PT2yozK71Vp4ibA6aSrG9snYVXAWFuF7cjKXD4HVR
-pJSbAy57+NO53X+Izi4vKEy0ki/m4GcK0P/F0nmm75QPAgMBAAGjXTBbMAwGA1Ud
-EwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBTwN8bq7DbUBXpSbA7G1alb
-Mk7hKTAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q68zANBgkqhkiG9w0B
-AQsFAAOCAQEAl5e6pgtbu4Q5Lu+LUZqJu2U83BXQWojFr86T9cF0mBVZqTjaEf1G
-1U8jfAMfrgxwk5SnYS9LL1+7zIrXSiRmc4W0GRP8amFKKB+iOPRykAPEPmRji/sV
-IiJOuUPZtD06YMFNOgmFaHq8O/nv8/XpyU+AjMbpy+8oRLBd1J5PDwKaZaqYNbRv
-0oDjCO8S0BdWpqFCHh2r5TPA/YgNQEKByCcwFwdXPgWdqgUOWzp5tCmqfEJarUNZ
-+zRN3GJYY+T73rv9bE6XWPS5mUpx/n8WUFUlRjmWm4hsdRkznnCzBIL+FqiOIkeD
-bRZ32iatMdgGbcV+Rkshq67sKpNx2n+JHQ==
------END CERTIFICATE-----
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index 06f0993..ea7ecf6 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -263,6 +263,9 @@ Patch0262: 0262-blscfg-fallback-to-default_kernelopts-if-BLS-option-.patch
Patch0263: 0263-Remove-bogus-load_env-after-blscfg-command-in-10_lin.patch
Patch0264: 0264-10_linux_bls-use-to-separate-id-argument-due-a-Petit.patch
Patch0265: 0265-10_linux_bls-don-t-add-users-option-to-generated-men.patch
-Patch0266: 0266-unix-platform-Initialize-variable-to-fix-grub-instal.patch
-Patch0267: 0267-grub-set-bootflag-Update-comment-about-running-as-ro.patch
-Patch0268: 0268-grub-set-bootflag-Write-new-env-to-tmpfile-and-then-.patch
+Patch0266: 0266-grub-set-bootflag-Update-comment-about-running-as-ro.patch
+Patch0267: 0267-grub-set-bootflag-Write-new-env-to-tmpfile-and-then-.patch
+Patch0268: 0268-Fix-PRIxGRUB_EFI_STATUS-definition.patch
+Patch0269: 0269-TPM-Print-messages-if-measuraments-fail-as-debug-ins.patch
+Patch0270: 0270-unix-platform-Initialize-variable-to-fix-grub-instal.patch
+Patch0271: 0271-blscfg-add-a-space-char-when-appending-fields-for-va.patch
diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
index fb0fc09..844c1fc 100644
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -7,7 +7,7 @@
Name: grub2
Epoch: 1
Version: 2.02
-Release: 78%{?dist}.1
+Release: 81%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more
Group: System Environment/Base
License: GPLv3+
@@ -24,8 +24,8 @@ Source6: gitignore
Source8: strtoull_test.c
Source9: 20-grub.install
Source12: 99-grub-mkconfig.install
-Source13: centos-ca-secureboot.der
-Source14: centossecureboot001.crt
+Source13: securebootca.cer
+Source14: secureboot.cer
%include %{SOURCE1}
@@ -52,11 +52,7 @@ BuildRequires: pesign >= 0.99-8
BuildRequires: ccache
%endif
-%if 0%{?centos}
-%global efidir centos
-%endif
-
-ExcludeArch: s390 s390x
+ExcludeArch: s390 s390x %{arm}
Obsoletes: %{name} <= %{evr}
%if 0%{with_legacy_arch}
@@ -168,10 +164,10 @@ git commit -m "After making subdirs"
%build
%if 0%{with_efi_arch}
-%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001}
+%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301}
%endif
%if 0%{with_alt_efi_arch}
-%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001}
+%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301}
%endif
%if 0%{with_legacy_arch}
%{expand:%do_legacy_build %%{grublegacyarch}}
@@ -502,10 +498,21 @@ fi
%endif
%changelog
-* Tue Feb 04 2020 CentOS Sources <bugs@centos.org> - 2.02-78.el8.centos.1
-- Apply debranding changes
-
-* Tue Dec 03 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-78.el8_1.1
+* Thu Dec 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-81
+- Another fix for blscfg variable expansion support
+ Related: rhbz#1669252
+
+* Thu Nov 28 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-80
+- Fix PRIxGRUB_EFI_STATUS definition
+ Related: rhbz#1761811
+- TPM: Print messages if measuraments fail as debug instead of error
+ Resolves: rhbz#1761811
+- unix/platform: Initialize variable to fix grub-install on UEFI system
+ Resolves: rhbz#1768689
+- blscfg: add a space char when appending fields for variable expansion
+ Resolves: rhbz#1669252
+
+* Fri Nov 22 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-79
- grub-set-bootflag: Write new env to tmpfile and then rename (hdegoede)
Resolves: CVE-2019-14865