diff --git a/SOURCES/0266-grub-set-bootflag-Update-comment-about-running-as-ro.patch b/SOURCES/0266-grub-set-bootflag-Update-comment-about-running-as-ro.patch new file mode 100644 index 0000000..e1fb2b5 --- /dev/null +++ b/SOURCES/0266-grub-set-bootflag-Update-comment-about-running-as-ro.patch @@ -0,0 +1,27 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 13 Nov 2019 12:15:43 +0100 +Subject: [PATCH] grub-set-bootflag: Update comment about running as root + through pkexec + +We have stopped using pkexec for grub-set-bootflag, instead it is now +installed suid root, update the comment accordingly. + +Signed-off-by: Hans de Goede +--- + util/grub-set-bootflag.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c +index f8dc310909a..32f1c104a2b 100644 +--- a/util/grub-set-bootflag.c ++++ b/util/grub-set-bootflag.c +@@ -18,7 +18,7 @@ + */ + + /* +- * NOTE this gets run by users as root (through pkexec), so this does not ++ * NOTE this gets run by users as root (its suid root), so this does not + * use any grub library / util functions to allow for easy auditing. + * The grub headers are only included to get certain defines. + */ diff --git a/SOURCES/0266-unix-platform-Initialize-variable-to-fix-grub-instal.patch b/SOURCES/0266-unix-platform-Initialize-variable-to-fix-grub-instal.patch deleted file mode 100644 index 8044070..0000000 --- a/SOURCES/0266-unix-platform-Initialize-variable-to-fix-grub-instal.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Paul Menzel -Date: Tue, 23 Oct 2018 15:00:13 +0200 -Subject: [PATCH] unix/platform: Initialize variable to fix grub-install on - UEFI system -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -On a UEFI system, were no boot entry *grub* is present, currently, -`grub-install` fails with an error. - - $ efibootmgr - BootCurrent: 0000 - Timeout: 0 seconds - BootOrder: 0001,0006,0003,0004,0005 - Boot0001 Diskette Drive - Boot0003* USB Storage Device - Boot0004* CD/DVD/CD-RW Drive - Boot0005 Onboard NIC - Boot0006* WDC WD2500AAKX-75U6AA0 - $ sudo grub-install /dev/sda - Installing for x86_64-efi platform. - grub-install: error: efibootmgr failed to register the boot entry: Unknown error 22020. - -The error code is always different, and the error message (incorrectly) -points to efibootmgr. - -But, the error is in GRUB’s function -`grub_install_remove_efi_entries_by_distributor()`, where the variable -`rc` for the return value, is uninitialized and never set, when no boot -entry for the distributor is found. - -The content of that uninitialized variable is then returned as the error -code of efibootmgr. - -Set the variable to 0, so that success is returned, when no entry needs -to be deleted. - -Tested on Dell OptiPlex 7010 with firmware A28. - - $ sudo ./grub-install /dev/sda - Installing for x86_64-efi platform. - Installation finished. No error reported. - -[1]: https://github.com/rhboot/efibootmgr/issues/100 - -Signed-off-by: Paul Menzel -Reviewed-by: Daniel Kiper ---- - grub-core/osdep/unix/platform.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/grub-core/osdep/unix/platform.c b/grub-core/osdep/unix/platform.c -index ca448bc11a0..55b8f401624 100644 ---- a/grub-core/osdep/unix/platform.c -+++ b/grub-core/osdep/unix/platform.c -@@ -85,7 +85,7 @@ grub_install_remove_efi_entries_by_distributor (const char *efi_distributor) - pid_t pid = grub_util_exec_pipe ((const char * []){ "efibootmgr", NULL }, &fd); - char *line = NULL; - size_t len = 0; -- int rc; -+ int rc = 0; - - if (!pid) - { diff --git a/SOURCES/0267-grub-set-bootflag-Update-comment-about-running-as-ro.patch b/SOURCES/0267-grub-set-bootflag-Update-comment-about-running-as-ro.patch deleted file mode 100644 index e1fb2b5..0000000 --- a/SOURCES/0267-grub-set-bootflag-Update-comment-about-running-as-ro.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hans de Goede -Date: Wed, 13 Nov 2019 12:15:43 +0100 -Subject: [PATCH] grub-set-bootflag: Update comment about running as root - through pkexec - -We have stopped using pkexec for grub-set-bootflag, instead it is now -installed suid root, update the comment accordingly. - -Signed-off-by: Hans de Goede ---- - util/grub-set-bootflag.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c -index f8dc310909a..32f1c104a2b 100644 ---- a/util/grub-set-bootflag.c -+++ b/util/grub-set-bootflag.c -@@ -18,7 +18,7 @@ - */ - - /* -- * NOTE this gets run by users as root (through pkexec), so this does not -+ * NOTE this gets run by users as root (its suid root), so this does not - * use any grub library / util functions to allow for easy auditing. - * The grub headers are only included to get certain defines. - */ diff --git a/SOURCES/0267-grub-set-bootflag-Write-new-env-to-tmpfile-and-then-.patch b/SOURCES/0267-grub-set-bootflag-Write-new-env-to-tmpfile-and-then-.patch new file mode 100644 index 0000000..32e07d5 --- /dev/null +++ b/SOURCES/0267-grub-set-bootflag-Write-new-env-to-tmpfile-and-then-.patch @@ -0,0 +1,152 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 22 Nov 2019 11:54:27 +0100 +Subject: [PATCH] grub-set-bootflag: Write new env to tmpfile and then rename + +Make the grubenv writing code in grub-set-bootflag more robust by +writing the modified grubenv to a tmpfile first and then renaming the +tmpfile over the old grubenv (following symlinks). + +Signed-off-by: Hans de Goede +--- + util/grub-set-bootflag.c | 87 +++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 78 insertions(+), 9 deletions(-) + +diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c +index 32f1c104a2b..d3b80a0d204 100644 +--- a/util/grub-set-bootflag.c ++++ b/util/grub-set-bootflag.c +@@ -26,7 +26,9 @@ + #include /* For *_DIR_NAME defines */ + #include + #include /* For GRUB_ENVBLK_DEFCFG define */ ++#include + #include ++#include + #include + #include + +@@ -52,8 +54,10 @@ int main(int argc, char *argv[]) + { + /* NOTE buf must be at least the longest bootflag length + 4 bytes */ + char env[GRUBENV_SIZE + 1], buf[64], *s; ++ /* +1 for 0 termination, +6 for "XXXXXX" in tmp filename */ ++ char env_filename[PATH_MAX + 1], tmp_filename[PATH_MAX + 6 + 1]; + const char *bootflag; +- int i, len, ret; ++ int i, fd, len, ret; + FILE *f; + + if (argc != 2) +@@ -75,7 +79,32 @@ int main(int argc, char *argv[]) + bootflag = bootflags[i]; + len = strlen (bootflag); + +- f = fopen (GRUBENV, "r"); ++ /* ++ * Really become root. setuid avoids an user killing us, possibly leaking ++ * the tmpfile. setgid avoids the new grubenv's gid being that of the user. ++ */ ++ ret = setuid(0); ++ if (ret) ++ { ++ perror ("Error setuid(0) failed"); ++ return 1; ++ } ++ ++ ret = setgid(0); ++ if (ret) ++ { ++ perror ("Error setgid(0) failed"); ++ return 1; ++ } ++ ++ /* Canonicalize GRUBENV filename, resolving symlinks, etc. */ ++ if (!realpath(GRUBENV, env_filename)) ++ { ++ perror ("Error canonicalizing " GRUBENV " filename"); ++ return 1; ++ } ++ ++ f = fopen (env_filename, "r"); + if (!f) + { + perror ("Error opening " GRUBENV " for reading"); +@@ -129,30 +158,70 @@ int main(int argc, char *argv[]) + snprintf(buf, sizeof(buf), "%s=1\n", bootflag); + memcpy(s, buf, len + 3); + +- /* "r+", don't truncate so that the diskspace stays reserved */ +- f = fopen (GRUBENV, "r+"); ++ ++ /* ++ * Create a tempfile for writing the new env. Use the canonicalized filename ++ * for the template so that the tmpfile is in the same dir / on same fs. ++ */ ++ snprintf(tmp_filename, sizeof(tmp_filename), "%sXXXXXX", env_filename); ++ fd = mkstemp(tmp_filename); ++ if (fd == -1) ++ { ++ perror ("Creating tmpfile failed"); ++ return 1; ++ } ++ ++ f = fdopen (fd, "w"); + if (!f) + { +- perror ("Error opening " GRUBENV " for writing"); ++ perror ("Error fdopen of tmpfile failed"); ++ unlink(tmp_filename); + return 1; + } + + ret = fwrite (env, 1, GRUBENV_SIZE, f); + if (ret != GRUBENV_SIZE) + { +- perror ("Error writing to " GRUBENV); ++ perror ("Error writing tmpfile"); ++ unlink(tmp_filename); + return 1; + } + + ret = fflush (f); + if (ret) + { +- perror ("Error flushing " GRUBENV); ++ perror ("Error flushing tmpfile"); ++ unlink(tmp_filename); + return 1; + } + +- fsync (fileno (f)); +- fclose (f); ++ ret = fsync (fileno (f)); ++ if (ret) ++ { ++ perror ("Error syncing tmpfile"); ++ unlink(tmp_filename); ++ return 1; ++ } ++ ++ ret = fclose (f); ++ if (ret) ++ { ++ perror ("Error closing tmpfile"); ++ unlink(tmp_filename); ++ return 1; ++ } ++ ++ /* ++ * And finally rename the tmpfile with the new env over the old env, the ++ * linux kernel guarantees that this is atomic (from a syscall pov). ++ */ ++ ret = rename(tmp_filename, env_filename); ++ if (ret) ++ { ++ perror ("Error renaming tmpfile to " GRUBENV " failed"); ++ unlink(tmp_filename); ++ return 1; ++ } + + return 0; + } diff --git a/SOURCES/0268-Fix-PRIxGRUB_EFI_STATUS-definition.patch b/SOURCES/0268-Fix-PRIxGRUB_EFI_STATUS-definition.patch new file mode 100644 index 0000000..fd71d99 --- /dev/null +++ b/SOURCES/0268-Fix-PRIxGRUB_EFI_STATUS-definition.patch @@ -0,0 +1,48 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Thu, 28 Nov 2019 13:23:59 +0100 +Subject: [PATCH] Fix PRIxGRUB_EFI_STATUS definition + +The type specifiers were wrongly defined when GRUB_CPU_SIZEOF_VOID_P != 8 +since in that case the grub_efi_status_t is a grub_int32_t typedef. This +leads to the following covscan warnings: + +grub-2.02/include/grub/dl.h:29: included_from: Included from here. +grub-2.02/include/grub/efi/efi.h:24: included_from: Included from here. +grub-2.02/grub-core/kern/efi/tpm.c:4: included_from: Included from here. +grub-2.02/grub-core/kern/efi/tpm.c: scope_hint: In function 'grub_tpm_dprintf' +grub-2.02/grub-core/kern/efi/tpm.c:170:26: warning: format '%llx' expects argument of type 'long long unsigned int', but argument 5 has type 'grub_efi_status_t' {aka 'int'} [-Wformat=] +grub-2.02/include/grub/misc.h:38:88: note: in definition of macro 'grub_dprintf' + +Related: rhbz#1761811 + +Signed-off-by: Javier Martinez Canillas +--- + include/grub/efi/api.h | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h +index b337e1a193d..6c440c61316 100644 +--- a/include/grub/efi/api.h ++++ b/include/grub/efi/api.h +@@ -539,11 +539,16 @@ typedef grub_uint16_t grub_efi_char16_t; + typedef grub_efi_intn_t grub_efi_status_t; + /* Make grub_efi_status_t reasonably printable. */ + #if GRUB_CPU_SIZEOF_VOID_P == 8 +-#define PRIxGRUB_EFI_STATUS "lx" +-#define PRIdGRUB_EFI_STATUS "ld" ++# if GRUB_CPU_SIZEOF_LONG == 8 ++# define PRIxGRUB_EFI_STATUS "lx" ++# define PRIdGRUB_EFI_STATUS "ld" ++# else ++# define PRIxGRUB_EFI_STATUS "llx" ++# define PRIdGRUB_EFI_STATUS "lld" ++# endif + #else +-#define PRIxGRUB_EFI_STATUS "llx" +-#define PRIdGRUB_EFI_STATUS "lld" ++# define PRIxGRUB_EFI_STATUS "x" ++# define PRIdGRUB_EFI_STATUS "d" + #endif + + #define GRUB_EFI_ERROR_CODE(value) \ diff --git a/SOURCES/0268-grub-set-bootflag-Write-new-env-to-tmpfile-and-then-.patch b/SOURCES/0268-grub-set-bootflag-Write-new-env-to-tmpfile-and-then-.patch deleted file mode 100644 index 32e07d5..0000000 --- a/SOURCES/0268-grub-set-bootflag-Write-new-env-to-tmpfile-and-then-.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hans de Goede -Date: Fri, 22 Nov 2019 11:54:27 +0100 -Subject: [PATCH] grub-set-bootflag: Write new env to tmpfile and then rename - -Make the grubenv writing code in grub-set-bootflag more robust by -writing the modified grubenv to a tmpfile first and then renaming the -tmpfile over the old grubenv (following symlinks). - -Signed-off-by: Hans de Goede ---- - util/grub-set-bootflag.c | 87 +++++++++++++++++++++++++++++++++++++++++++----- - 1 file changed, 78 insertions(+), 9 deletions(-) - -diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c -index 32f1c104a2b..d3b80a0d204 100644 ---- a/util/grub-set-bootflag.c -+++ b/util/grub-set-bootflag.c -@@ -26,7 +26,9 @@ - #include /* For *_DIR_NAME defines */ - #include - #include /* For GRUB_ENVBLK_DEFCFG define */ -+#include - #include -+#include - #include - #include - -@@ -52,8 +54,10 @@ int main(int argc, char *argv[]) - { - /* NOTE buf must be at least the longest bootflag length + 4 bytes */ - char env[GRUBENV_SIZE + 1], buf[64], *s; -+ /* +1 for 0 termination, +6 for "XXXXXX" in tmp filename */ -+ char env_filename[PATH_MAX + 1], tmp_filename[PATH_MAX + 6 + 1]; - const char *bootflag; -- int i, len, ret; -+ int i, fd, len, ret; - FILE *f; - - if (argc != 2) -@@ -75,7 +79,32 @@ int main(int argc, char *argv[]) - bootflag = bootflags[i]; - len = strlen (bootflag); - -- f = fopen (GRUBENV, "r"); -+ /* -+ * Really become root. setuid avoids an user killing us, possibly leaking -+ * the tmpfile. setgid avoids the new grubenv's gid being that of the user. -+ */ -+ ret = setuid(0); -+ if (ret) -+ { -+ perror ("Error setuid(0) failed"); -+ return 1; -+ } -+ -+ ret = setgid(0); -+ if (ret) -+ { -+ perror ("Error setgid(0) failed"); -+ return 1; -+ } -+ -+ /* Canonicalize GRUBENV filename, resolving symlinks, etc. */ -+ if (!realpath(GRUBENV, env_filename)) -+ { -+ perror ("Error canonicalizing " GRUBENV " filename"); -+ return 1; -+ } -+ -+ f = fopen (env_filename, "r"); - if (!f) - { - perror ("Error opening " GRUBENV " for reading"); -@@ -129,30 +158,70 @@ int main(int argc, char *argv[]) - snprintf(buf, sizeof(buf), "%s=1\n", bootflag); - memcpy(s, buf, len + 3); - -- /* "r+", don't truncate so that the diskspace stays reserved */ -- f = fopen (GRUBENV, "r+"); -+ -+ /* -+ * Create a tempfile for writing the new env. Use the canonicalized filename -+ * for the template so that the tmpfile is in the same dir / on same fs. -+ */ -+ snprintf(tmp_filename, sizeof(tmp_filename), "%sXXXXXX", env_filename); -+ fd = mkstemp(tmp_filename); -+ if (fd == -1) -+ { -+ perror ("Creating tmpfile failed"); -+ return 1; -+ } -+ -+ f = fdopen (fd, "w"); - if (!f) - { -- perror ("Error opening " GRUBENV " for writing"); -+ perror ("Error fdopen of tmpfile failed"); -+ unlink(tmp_filename); - return 1; - } - - ret = fwrite (env, 1, GRUBENV_SIZE, f); - if (ret != GRUBENV_SIZE) - { -- perror ("Error writing to " GRUBENV); -+ perror ("Error writing tmpfile"); -+ unlink(tmp_filename); - return 1; - } - - ret = fflush (f); - if (ret) - { -- perror ("Error flushing " GRUBENV); -+ perror ("Error flushing tmpfile"); -+ unlink(tmp_filename); - return 1; - } - -- fsync (fileno (f)); -- fclose (f); -+ ret = fsync (fileno (f)); -+ if (ret) -+ { -+ perror ("Error syncing tmpfile"); -+ unlink(tmp_filename); -+ return 1; -+ } -+ -+ ret = fclose (f); -+ if (ret) -+ { -+ perror ("Error closing tmpfile"); -+ unlink(tmp_filename); -+ return 1; -+ } -+ -+ /* -+ * And finally rename the tmpfile with the new env over the old env, the -+ * linux kernel guarantees that this is atomic (from a syscall pov). -+ */ -+ ret = rename(tmp_filename, env_filename); -+ if (ret) -+ { -+ perror ("Error renaming tmpfile to " GRUBENV " failed"); -+ unlink(tmp_filename); -+ return 1; -+ } - - return 0; - } diff --git a/SOURCES/0269-TPM-Print-messages-if-measuraments-fail-as-debug-ins.patch b/SOURCES/0269-TPM-Print-messages-if-measuraments-fail-as-debug-ins.patch new file mode 100644 index 0000000..45dd94b --- /dev/null +++ b/SOURCES/0269-TPM-Print-messages-if-measuraments-fail-as-debug-ins.patch @@ -0,0 +1,100 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Wed, 16 Oct 2019 15:32:04 +0200 +Subject: [PATCH] TPM: Print messages if measuraments fail as debug instead of + error + +If the calls to EFI services to do TPM measuraments fail, currently error +messages are printed. But this is not a fatal error and just pollutes the +output, so instead just print them as debug messages. + +Resolves: rhbz#1761811 + +Signed-off-by: Javier Martinez Canillas +--- + grub-core/kern/efi/tpm.c | 58 +++++++++++++++++++++++++----------------------- + 1 file changed, 30 insertions(+), 28 deletions(-) + +diff --git a/grub-core/kern/efi/tpm.c b/grub-core/kern/efi/tpm.c +index 0d3ebe22e57..5dc90865242 100644 +--- a/grub-core/kern/efi/tpm.c ++++ b/grub-core/kern/efi/tpm.c +@@ -161,6 +161,34 @@ grub_tpm_execute(PassThroughToTPM_InputParamBlock *inbuf, + } + } + ++static inline grub_err_t grub_tpm_dprintf(grub_efi_status_t status) ++{ ++ switch (status) { ++ case GRUB_EFI_SUCCESS: ++ return 0; ++ case GRUB_EFI_DEVICE_ERROR: ++ grub_dprintf ("tpm", "Command failed: 0x%"PRIxGRUB_EFI_STATUS"\n", ++ status); ++ return GRUB_ERR_IO; ++ case GRUB_EFI_INVALID_PARAMETER: ++ grub_dprintf ("tpm", "Invalid parameter: 0x%"PRIxGRUB_EFI_STATUS"\n", ++ status); ++ return GRUB_ERR_BAD_ARGUMENT; ++ case GRUB_EFI_BUFFER_TOO_SMALL: ++ grub_dprintf ("tpm", "Output buffer too small: 0x%"PRIxGRUB_EFI_STATUS"\n", ++ status); ++ return GRUB_ERR_BAD_ARGUMENT; ++ case GRUB_EFI_NOT_FOUND: ++ grub_dprintf ("tpm", "TPM unavailable: 0x%"PRIxGRUB_EFI_STATUS"\n", ++ status); ++ return GRUB_ERR_UNKNOWN_DEVICE; ++ default: ++ grub_dprintf ("tpm", "Unknown TPM error: 0x%"PRIxGRUB_EFI_STATUS"\n", ++ status); ++ return GRUB_ERR_UNKNOWN_DEVICE; ++ } ++} ++ + static grub_err_t + grub_tpm1_log_event(grub_efi_handle_t tpm_handle, unsigned char *buf, + grub_size_t size, grub_uint8_t pcr, +@@ -194,20 +222,7 @@ grub_tpm1_log_event(grub_efi_handle_t tpm_handle, unsigned char *buf, + (unsigned long) buf, (grub_uint64_t) size, + algorithm, event, &eventnum, &lastevent); + +- switch (status) { +- case GRUB_EFI_SUCCESS: +- return 0; +- case GRUB_EFI_DEVICE_ERROR: +- return grub_error (GRUB_ERR_IO, N_("Command failed")); +- case GRUB_EFI_INVALID_PARAMETER: +- return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Invalid parameter")); +- case GRUB_EFI_BUFFER_TOO_SMALL: +- return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Output buffer too small")); +- case GRUB_EFI_NOT_FOUND: +- return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("TPM unavailable")); +- default: +- return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("Unknown TPM error")); +- } ++ return grub_tpm_dprintf(status); + } + + static grub_err_t +@@ -240,20 +255,7 @@ grub_tpm2_log_event(grub_efi_handle_t tpm_handle, unsigned char *buf, + status = efi_call_5 (tpm->hash_log_extend_event, tpm, 0, (unsigned long) buf, + (grub_uint64_t) size, event); + +- switch (status) { +- case GRUB_EFI_SUCCESS: +- return 0; +- case GRUB_EFI_DEVICE_ERROR: +- return grub_error (GRUB_ERR_IO, N_("Command failed")); +- case GRUB_EFI_INVALID_PARAMETER: +- return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Invalid parameter")); +- case GRUB_EFI_BUFFER_TOO_SMALL: +- return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Output buffer too small")); +- case GRUB_EFI_NOT_FOUND: +- return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("TPM unavailable")); +- default: +- return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("Unknown TPM error")); +- } ++ return grub_tpm_dprintf(status); + } + + grub_err_t diff --git a/SOURCES/0270-unix-platform-Initialize-variable-to-fix-grub-instal.patch b/SOURCES/0270-unix-platform-Initialize-variable-to-fix-grub-instal.patch new file mode 100644 index 0000000..8044070 --- /dev/null +++ b/SOURCES/0270-unix-platform-Initialize-variable-to-fix-grub-instal.patch @@ -0,0 +1,66 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Paul Menzel +Date: Tue, 23 Oct 2018 15:00:13 +0200 +Subject: [PATCH] unix/platform: Initialize variable to fix grub-install on + UEFI system +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +On a UEFI system, were no boot entry *grub* is present, currently, +`grub-install` fails with an error. + + $ efibootmgr + BootCurrent: 0000 + Timeout: 0 seconds + BootOrder: 0001,0006,0003,0004,0005 + Boot0001 Diskette Drive + Boot0003* USB Storage Device + Boot0004* CD/DVD/CD-RW Drive + Boot0005 Onboard NIC + Boot0006* WDC WD2500AAKX-75U6AA0 + $ sudo grub-install /dev/sda + Installing for x86_64-efi platform. + grub-install: error: efibootmgr failed to register the boot entry: Unknown error 22020. + +The error code is always different, and the error message (incorrectly) +points to efibootmgr. + +But, the error is in GRUB’s function +`grub_install_remove_efi_entries_by_distributor()`, where the variable +`rc` for the return value, is uninitialized and never set, when no boot +entry for the distributor is found. + +The content of that uninitialized variable is then returned as the error +code of efibootmgr. + +Set the variable to 0, so that success is returned, when no entry needs +to be deleted. + +Tested on Dell OptiPlex 7010 with firmware A28. + + $ sudo ./grub-install /dev/sda + Installing for x86_64-efi platform. + Installation finished. No error reported. + +[1]: https://github.com/rhboot/efibootmgr/issues/100 + +Signed-off-by: Paul Menzel +Reviewed-by: Daniel Kiper +--- + grub-core/osdep/unix/platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/osdep/unix/platform.c b/grub-core/osdep/unix/platform.c +index ca448bc11a0..55b8f401624 100644 +--- a/grub-core/osdep/unix/platform.c ++++ b/grub-core/osdep/unix/platform.c +@@ -85,7 +85,7 @@ grub_install_remove_efi_entries_by_distributor (const char *efi_distributor) + pid_t pid = grub_util_exec_pipe ((const char * []){ "efibootmgr", NULL }, &fd); + char *line = NULL; + size_t len = 0; +- int rc; ++ int rc = 0; + + if (!pid) + { diff --git a/SOURCES/0271-blscfg-add-a-space-char-when-appending-fields-for-va.patch b/SOURCES/0271-blscfg-add-a-space-char-when-appending-fields-for-va.patch new file mode 100644 index 0000000..80225c2 --- /dev/null +++ b/SOURCES/0271-blscfg-add-a-space-char-when-appending-fields-for-va.patch @@ -0,0 +1,76 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Tue, 26 Nov 2019 09:51:41 +0100 +Subject: [PATCH] blscfg: add a space char when appending fields for variable + expansion + +The GRUB variables are expanded and replaced by their values before adding +menu entries, but they didn't include space characters after the values so +the result was not correct. + +For the common case this wasn't a problem but it is if there are variables +that are part of the values of other variables. + +Resolves: rhbz#1669252 + +Signed-off-by: Javier Martinez Canillas +--- + grub-core/commands/blscfg.c | 31 ++++++++++++++++++------------- + 1 file changed, 18 insertions(+), 13 deletions(-) + +diff --git a/grub-core/commands/blscfg.c b/grub-core/commands/blscfg.c +index 11cc82b6f31..c92e1c84543 100644 +--- a/grub-core/commands/blscfg.c ++++ b/grub-core/commands/blscfg.c +@@ -597,26 +597,29 @@ static char **bls_make_list (struct bls_entry *entry, const char *key, int *num) + + static char *field_append(bool is_var, char *buffer, char *start, char *end) + { +- char *temp = grub_strndup(start, end - start + 1); +- const char *field = temp; ++ char *tmp = grub_strndup(start, end - start + 1); ++ const char *field = tmp; ++ int term = is_var ? 2 : 1; + + if (is_var) { +- field = grub_env_get (temp); ++ field = grub_env_get (tmp); + if (!field) + return buffer; + } + +- if (!buffer) { +- buffer = grub_strdup(field); +- if (!buffer) +- return NULL; +- } else { +- buffer = grub_realloc (buffer, grub_strlen(buffer) + grub_strlen(field)); +- if (!buffer) +- return NULL; ++ if (!buffer) ++ buffer = grub_zalloc (grub_strlen(field) + term); ++ else ++ buffer = grub_realloc (buffer, grub_strlen(buffer) + grub_strlen(field) + term); + +- grub_stpcpy (buffer + grub_strlen(buffer), field); +- } ++ if (!buffer) ++ return NULL; ++ ++ tmp = buffer + grub_strlen(buffer); ++ tmp = grub_stpcpy (tmp, field); ++ ++ if (is_var) ++ tmp = grub_stpcpy (tmp, " "); + + return buffer; + } +@@ -646,6 +649,8 @@ static char *expand_val(char *value) + buffer = field_append(is_var, buffer, start, end); + is_var = false; + start = value; ++ if (*start == ' ') ++ start++; + } + } + diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der deleted file mode 100644 index 44a2563..0000000 Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ diff --git a/SOURCES/centossecureboot001.crt b/SOURCES/centossecureboot001.crt deleted file mode 100644 index 321c4ec..0000000 --- a/SOURCES/centossecureboot001.crt +++ /dev/null @@ -1,81 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - b6:16:15:71:72:fb:31:7e - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN=CentOS Secure Boot (CA key 1)/emailAddress=security@centos.org - Validity - Not Before: Aug 1 11:47:30 2018 GMT - Not After : Dec 31 11:47:30 2037 GMT - Subject: CN=CentOS Secure Boot (key 1)/emailAddress=security@centos.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:c1:a3:6a:f4:2d:71:83:6c:21:ca:0c:b7:ac:fa: - 76:80:43:03:40:87:5d:de:e9:1e:df:ad:e7:2b:51: - cb:f8:31:0f:9a:db:ab:23:25:04:11:05:57:7d:f2: - 4b:8d:1e:b3:75:78:1d:b9:57:8b:18:0b:bb:7e:e3: - 24:0f:6a:40:5f:2b:4f:03:a5:85:94:d2:f9:08:a0: - bc:db:a5:ea:4f:7f:e8:7c:d1:a9:f8:f0:9c:25:18: - 00:14:c4:c4:35:7d:1d:4c:8a:8d:95:f8:ed:65:97: - a5:a4:da:7d:cb:f0:33:3b:b7:03:94:68:47:05:57: - 6c:96:91:ac:14:f2:e3:f6:6d:4a:18:cf:68:8a:35: - 6f:8e:26:99:7f:db:c9:83:54:c2:c3:bf:ad:45:a0: - aa:a0:86:5f:20:b1:86:1b:ae:b7:28:15:11:f9:65: - 53:5d:70:33:9b:a3:c7:b5:c8:11:ff:55:3b:e7:46: - f1:6c:6b:8c:bb:f2:9f:36:23:b1:2d:23:2f:8f:4f: - 6c:a8:cc:ae:f5:56:9e:22:6c:0e:9a:4a:b1:bd:b2: - 76:15:5c:05:85:b8:5e:dc:8c:a5:c3:e0:75:51:a4: - 94:9b:03:2e:7b:f8:d3:b9:dd:7f:88:ce:2e:2f:28: - 4c:b4:92:2f:e6:e0:67:0a:d0:ff:c5:d2:79:a6:ef: - 94:0f - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Key Usage: - Digital Signature - X509v3 Subject Key Identifier: - F0:37:C6:EA:EC:36:D4:05:7A:52:6C:0E:C6:D5:A9:5B:32:4E:E1:29 - X509v3 Authority Key Identifier: - keyid:54:EC:81:85:89:3E:E9:1A:DB:08:F7:44:88:54:7E:8E:3F:74:3A:F3 - - Signature Algorithm: sha256WithRSAEncryption - 97:97:ba:a6:0b:5b:bb:84:39:2e:ef:8b:51:9a:89:bb:65:3c: - dc:15:d0:5a:88:c5:af:ce:93:f5:c1:74:98:15:59:a9:38:da: - 11:fd:46:d5:4f:23:7c:03:1f:ae:0c:70:93:94:a7:61:2f:4b: - 2f:5f:bb:cc:8a:d7:4a:24:66:73:85:b4:19:13:fc:6a:61:4a: - 28:1f:a2:38:f4:72:90:03:c4:3e:64:63:8b:fb:15:22:22:4e: - b9:43:d9:b4:3d:3a:60:c1:4d:3a:09:85:68:7a:bc:3b:f9:ef: - f3:f5:e9:c9:4f:80:8c:c6:e9:cb:ef:28:44:b0:5d:d4:9e:4f: - 0f:02:9a:65:aa:98:35:b4:6f:d2:80:e3:08:ef:12:d0:17:56: - a6:a1:42:1e:1d:ab:e5:33:c0:fd:88:0d:40:42:81:c8:27:30: - 17:07:57:3e:05:9d:aa:05:0e:5b:3a:79:b4:29:aa:7c:42:5a: - ad:43:59:fb:34:4d:dc:62:58:63:e4:fb:de:bb:fd:6c:4e:97: - 58:f4:b9:99:4a:71:fe:7f:16:50:55:25:46:39:96:9b:88:6c: - 75:19:33:9e:70:b3:04:82:fe:16:a8:8e:22:47:83:6d:16:77: - da:26:ad:31:d8:06:6d:c5:7e:46:4b:21:ab:ae:ec:2a:93:71: - da:7f:89:1d ------BEGIN CERTIFICATE----- -MIIDdTCCAl2gAwIBAgIJALYWFXFy+zF+MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV -BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB -FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE4MDgwMTExNDczMFoXDTM3MTIzMTEx -NDczMFowSTEjMCEGA1UEAxMaQ2VudE9TIFNlY3VyZSBCb290IChrZXkgMSkxIjAg -BgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDBo2r0LXGDbCHKDLes+naAQwNAh13e6R7frecrUcv4 -MQ+a26sjJQQRBVd98kuNHrN1eB25V4sYC7t+4yQPakBfK08DpYWU0vkIoLzbpepP -f+h80an48JwlGAAUxMQ1fR1Mio2V+O1ll6Wk2n3L8DM7twOUaEcFV2yWkawU8uP2 -bUoYz2iKNW+OJpl/28mDVMLDv61FoKqghl8gsYYbrrcoFRH5ZVNdcDObo8e1yBH/ -VTvnRvFsa4y78p82I7EtIy+PT2yozK71Vp4ibA6aSrG9snYVXAWFuF7cjKXD4HVR -pJSbAy57+NO53X+Izi4vKEy0ki/m4GcK0P/F0nmm75QPAgMBAAGjXTBbMAwGA1Ud -EwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBTwN8bq7DbUBXpSbA7G1alb -Mk7hKTAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q68zANBgkqhkiG9w0B -AQsFAAOCAQEAl5e6pgtbu4Q5Lu+LUZqJu2U83BXQWojFr86T9cF0mBVZqTjaEf1G -1U8jfAMfrgxwk5SnYS9LL1+7zIrXSiRmc4W0GRP8amFKKB+iOPRykAPEPmRji/sV -IiJOuUPZtD06YMFNOgmFaHq8O/nv8/XpyU+AjMbpy+8oRLBd1J5PDwKaZaqYNbRv -0oDjCO8S0BdWpqFCHh2r5TPA/YgNQEKByCcwFwdXPgWdqgUOWzp5tCmqfEJarUNZ -+zRN3GJYY+T73rv9bE6XWPS5mUpx/n8WUFUlRjmWm4hsdRkznnCzBIL+FqiOIkeD -bRZ32iatMdgGbcV+Rkshq67sKpNx2n+JHQ== ------END CERTIFICATE----- diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches index 06f0993..ea7ecf6 100644 --- a/SOURCES/grub.patches +++ b/SOURCES/grub.patches @@ -263,6 +263,9 @@ Patch0262: 0262-blscfg-fallback-to-default_kernelopts-if-BLS-option-.patch Patch0263: 0263-Remove-bogus-load_env-after-blscfg-command-in-10_lin.patch Patch0264: 0264-10_linux_bls-use-to-separate-id-argument-due-a-Petit.patch Patch0265: 0265-10_linux_bls-don-t-add-users-option-to-generated-men.patch -Patch0266: 0266-unix-platform-Initialize-variable-to-fix-grub-instal.patch -Patch0267: 0267-grub-set-bootflag-Update-comment-about-running-as-ro.patch -Patch0268: 0268-grub-set-bootflag-Write-new-env-to-tmpfile-and-then-.patch +Patch0266: 0266-grub-set-bootflag-Update-comment-about-running-as-ro.patch +Patch0267: 0267-grub-set-bootflag-Write-new-env-to-tmpfile-and-then-.patch +Patch0268: 0268-Fix-PRIxGRUB_EFI_STATUS-definition.patch +Patch0269: 0269-TPM-Print-messages-if-measuraments-fail-as-debug-ins.patch +Patch0270: 0270-unix-platform-Initialize-variable-to-fix-grub-instal.patch +Patch0271: 0271-blscfg-add-a-space-char-when-appending-fields-for-va.patch diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec index fb0fc09..844c1fc 100644 --- a/SPECS/grub2.spec +++ b/SPECS/grub2.spec @@ -7,7 +7,7 @@ Name: grub2 Epoch: 1 Version: 2.02 -Release: 78%{?dist}.1 +Release: 81%{?dist} Summary: Bootloader with support for Linux, Multiboot and more Group: System Environment/Base License: GPLv3+ @@ -24,8 +24,8 @@ Source6: gitignore Source8: strtoull_test.c Source9: 20-grub.install Source12: 99-grub-mkconfig.install -Source13: centos-ca-secureboot.der -Source14: centossecureboot001.crt +Source13: securebootca.cer +Source14: secureboot.cer %include %{SOURCE1} @@ -52,11 +52,7 @@ BuildRequires: pesign >= 0.99-8 BuildRequires: ccache %endif -%if 0%{?centos} -%global efidir centos -%endif - -ExcludeArch: s390 s390x +ExcludeArch: s390 s390x %{arm} Obsoletes: %{name} <= %{evr} %if 0%{with_legacy_arch} @@ -168,10 +164,10 @@ git commit -m "After making subdirs" %build %if 0%{with_efi_arch} -%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001} +%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301} %endif %if 0%{with_alt_efi_arch} -%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001} +%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301} %endif %if 0%{with_legacy_arch} %{expand:%do_legacy_build %%{grublegacyarch}} @@ -502,10 +498,21 @@ fi %endif %changelog -* Tue Feb 04 2020 CentOS Sources - 2.02-78.el8.centos.1 -- Apply debranding changes - -* Tue Dec 03 2019 Javier Martinez Canillas - 2.02-78.el8_1.1 +* Thu Dec 05 2019 Javier Martinez Canillas - 2.02-81 +- Another fix for blscfg variable expansion support + Related: rhbz#1669252 + +* Thu Nov 28 2019 Javier Martinez Canillas - 2.02-80 +- Fix PRIxGRUB_EFI_STATUS definition + Related: rhbz#1761811 +- TPM: Print messages if measuraments fail as debug instead of error + Resolves: rhbz#1761811 +- unix/platform: Initialize variable to fix grub-install on UEFI system + Resolves: rhbz#1768689 +- blscfg: add a space char when appending fields for variable expansion + Resolves: rhbz#1669252 + +* Fri Nov 22 2019 Javier Martinez Canillas - 2.02-79 - grub-set-bootflag: Write new env to tmpfile and then rename (hdegoede) Resolves: CVE-2019-14865