diff --git a/SOURCES/0259-HTTP-boot-strncmp-returns-0-on-equal.patch b/SOURCES/0259-HTTP-boot-strncmp-returns-0-on-equal.patch new file mode 100644 index 0000000..e3edefb --- /dev/null +++ b/SOURCES/0259-HTTP-boot-strncmp-returns-0-on-equal.patch @@ -0,0 +1,23 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Stephen Benjamin +Date: Fri, 12 Apr 2019 10:43:13 -0400 +Subject: [PATCH] HTTP boot: strncmp returns 0 on equal + +Resolves: rhbz#1490991 +--- + grub-core/net/efi/http.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/net/efi/http.c b/grub-core/net/efi/http.c +index 2a9624dacc4..484e0c68cee 100644 +--- a/grub-core/net/efi/http.c ++++ b/grub-core/net/efi/http.c +@@ -19,7 +19,7 @@ http_configure (struct grub_efi_net_device *dev, int prefer_ip6) + const char *rest, *http_server, *http_path = NULL; + + http_server = grub_env_get ("root"); +- https = grub_strncmp (http_server, "https", 5) ? 1 : 0; ++ https = (grub_strncmp (http_server, "https", 5) == 0) ? 1 : 0; + + /* extract http server + port */ + if (http_server) diff --git a/SOURCES/0260-Don-t-duplicate-net-name-string-if-not-needed.patch b/SOURCES/0260-Don-t-duplicate-net-name-string-if-not-needed.patch new file mode 100644 index 0000000..f890e90 --- /dev/null +++ b/SOURCES/0260-Don-t-duplicate-net-name-string-if-not-needed.patch @@ -0,0 +1,53 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Thu, 25 Apr 2019 17:50:23 +0200 +Subject: [PATCH] Don't duplicate net->name string if not needed + +Related: rhbz#1490991 + +Signed-off-by: Javier Martinez Canillas +--- + grub-core/net/efi/http.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/grub-core/net/efi/http.c b/grub-core/net/efi/http.c +index 484e0c68cee..de351b2cd03 100644 +--- a/grub-core/net/efi/http.c ++++ b/grub-core/net/efi/http.c +@@ -394,27 +394,27 @@ grub_efihttp_open (struct grub_efi_net_device *dev, + grub_err_t err; + grub_off_t size; + char *buf; +- char *file_name; ++ char *file_name = NULL; + const char *http_path; + + /* If path is relative, prepend http_path */ + http_path = grub_env_get ("http_path"); +- if (http_path && file->device->net->name[0] != '/') ++ if (http_path && file->device->net->name[0] != '/') { + file_name = grub_xasprintf ("%s/%s", http_path, file->device->net->name); +- else +- file_name = grub_strdup (file->device->net->name); ++ if (!file_name) ++ return grub_errno; ++ } + +- if (!file_name) +- return grub_errno; +- +- err = efihttp_request (dev->http, file->device->net->server, file_name, type, 1, 0); ++ err = efihttp_request (dev->http, file->device->net->server, ++ file_name ? file_name : file->device->net->name, type, 1, 0); + if (err != GRUB_ERR_NONE) + { + grub_free (file_name); + return err; + } + +- err = efihttp_request (dev->http, file->device->net->server, file_name, type, 0, &size); ++ err = efihttp_request (dev->http, file->device->net->server, ++ file_name ? file_name : file->device->net->name, type, 0, &size); + grub_free (file_name); + if (err != GRUB_ERR_NONE) + { diff --git a/SOURCES/0261-Try-to-set-fPIE-and-friends-on-libgnu.a.patch b/SOURCES/0261-Try-to-set-fPIE-and-friends-on-libgnu.a.patch new file mode 100644 index 0000000..17f5179 --- /dev/null +++ b/SOURCES/0261-Try-to-set-fPIE-and-friends-on-libgnu.a.patch @@ -0,0 +1,39 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 15 Jan 2019 14:57:25 -0500 +Subject: [PATCH] Try to set -fPIE and friends on libgnu.a + +In order to make sure UTIL_CFLAGS and UTIL_LDFLAGS can correctly get +-Wl,-z,relro,-z,now , we need everything going in them to be built with at +least -fPIC (and preferably -fPIE) wherever we can, or else we get relocations +in some component object that can't be used with the link type that's being +used for the final ELF object. + +So this makes sure libgnu.a gets built with HOST_CFLAGS and HOST_LDFLAGS, +which are what is later used to define UTIL_CFLAGS and UTIL_LDFLAGS, and +includes -fPIE. + +Fixes an rpmdiff check. + +Related: rhbz#1658500 + +Signed-off-by: Peter Jones +--- + grub-core/gnulib/Makefile.am | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/gnulib/Makefile.am b/grub-core/gnulib/Makefile.am +index b7c5e60e1c3..bd3621930ff 100644 +--- a/grub-core/gnulib/Makefile.am ++++ b/grub-core/gnulib/Makefile.am +@@ -38,8 +38,8 @@ CLEANFILES = + DISTCLEANFILES = + MAINTAINERCLEANFILES = + +-AM_CPPFLAGS = +-AM_CFLAGS = ++AM_CPPFLAGS = $(HOST_CPPFLAGS) ++AM_CFLAGS = $(HOST_CFLAGS) + + noinst_LIBRARIES += libgnu.a + diff --git a/SOURCES/0262-blscfg-fallback-to-default_kernelopts-if-BLS-option-.patch b/SOURCES/0262-blscfg-fallback-to-default_kernelopts-if-BLS-option-.patch new file mode 100644 index 0000000..13e589f --- /dev/null +++ b/SOURCES/0262-blscfg-fallback-to-default_kernelopts-if-BLS-option-.patch @@ -0,0 +1,60 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Tue, 26 Feb 2019 20:11:27 +0100 +Subject: [PATCH] blscfg: fallback to default_kernelopts if BLS option field + isn't set + +If the $kernelopts variable isn't found, then the entry will fail to boot +since there won't be a kernel command line params set. This makes the BLS +configuration more fragile than a non-BLS one, since in that case it will +boot even without a correct grubenv file. + +So set a $default_kernelopts in the GRUB config file that will be used as +a fallback if the value in the BLS options field can't be resolved. + +Related: rhbz#1625124 + +Signed-off-by: Javier Martinez Canillas +--- + grub-core/commands/blscfg.c | 7 +++++++ + util/grub.d/10_linux.in | 2 ++ + 2 files changed, 9 insertions(+) + +diff --git a/grub-core/commands/blscfg.c b/grub-core/commands/blscfg.c +index c432c6ba27a..11cc82b6f31 100644 +--- a/grub-core/commands/blscfg.c ++++ b/grub-core/commands/blscfg.c +@@ -628,6 +628,9 @@ static char *expand_val(char *value) + char *end = value; + bool is_var = false; + ++ if (!value) ++ return NULL; ++ + while (*value) { + if (*value == '$') { + if (start != end) { +@@ -701,6 +704,10 @@ static void create_entry (struct bls_entry *entry) + + title = bls_get_val (entry, "title", NULL); + options = expand_val (bls_get_val (entry, "options", NULL)); ++ ++ if (!options) ++ options = expand_val (grub_env_get("default_kernelopts")); ++ + initrds = bls_make_list (entry, "initrd", NULL); + + hotkey = bls_get_val (entry, "grub_hotkey", NULL); +diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in +index da2992ac9f1..04fd8953f40 100644 +--- a/util/grub.d/10_linux.in ++++ b/util/grub.d/10_linux.in +@@ -158,6 +158,8 @@ linux_entry () + populate_header_warn + + cat << EOF ++set default_kernelopts="root=${linux_root_device_thisversion} ro ${args}" ++ + insmod blscfg + blscfg + if [ -s \$prefix/grubenv ]; then diff --git a/SOURCES/0263-Remove-bogus-load_env-after-blscfg-command-in-10_lin.patch b/SOURCES/0263-Remove-bogus-load_env-after-blscfg-command-in-10_lin.patch new file mode 100644 index 0000000..7b09d5f --- /dev/null +++ b/SOURCES/0263-Remove-bogus-load_env-after-blscfg-command-in-10_lin.patch @@ -0,0 +1,27 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Tue, 14 May 2019 20:37:44 +0200 +Subject: [PATCH] Remove bogus load_env after blscfg command in 10_linux + +The grubenv is already loaded in the 00_header snippet, so there's +no need to load it anywhere else. + +Signed-off-by: Javier Martinez Canillas +--- + util/grub.d/10_linux.in | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in +index 04fd8953f40..58d18504790 100644 +--- a/util/grub.d/10_linux.in ++++ b/util/grub.d/10_linux.in +@@ -162,9 +162,6 @@ set default_kernelopts="root=${linux_root_device_thisversion} ro ${args}" + + insmod blscfg + blscfg +-if [ -s \$prefix/grubenv ]; then +- load_env +-fi + EOF + + if [ "x${GRUB_GRUBENV_UPDATE}" = "xyes" ]; then diff --git a/SOURCES/0264-10_linux_bls-use-to-separate-id-argument-due-a-Petit.patch b/SOURCES/0264-10_linux_bls-use-to-separate-id-argument-due-a-Petit.patch new file mode 100644 index 0000000..2ea8828 --- /dev/null +++ b/SOURCES/0264-10_linux_bls-use-to-separate-id-argument-due-a-Petit.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Wed, 19 Jun 2019 15:57:17 +0200 +Subject: [PATCH] 10_linux_bls: use '=' to separate --id argument due a + Petitboot bug + +The GRUB menuentry command allows to separate the arguments for options +using either a '=' or a ' '. The latter is the convention used when the +menu entries are defined in the GRUB config file, but this is currently +not supported by Petitboot. + +So as a workaround define the menu entries using '--id=${bls}' instead. + +Resolves: rhbz#1721815 + +Signed-off-by: Javier Martinez Canillas +--- + util/grub.d/10_linux_bls.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/util/grub.d/10_linux_bls.in b/util/grub.d/10_linux_bls.in +index 175bedd0763..8e07a79322b 100644 +--- a/util/grub.d/10_linux_bls.in ++++ b/util/grub.d/10_linux_bls.in +@@ -180,7 +180,7 @@ populate_menu() + for bls in "${files[@]}" ; do + read_config "${blsdir}/${bls}.conf" + +- menu="${menu}menuentry '${title}' --class ${grub_class} ${grub_arg} --users ${grub_users} --id ${bls} {\n" ++ menu="${menu}menuentry '${title}' --class ${grub_class} ${grub_arg} --users ${grub_users} --id=${bls} {\n" + menu="${menu}\t linux ${linux} ${options}\n" + if [ -n "${initrd}" ] ; then + menu="${menu}\t initrd ${boot_prefix}${initrd}\n" diff --git a/SOURCES/0265-10_linux_bls-don-t-add-users-option-to-generated-men.patch b/SOURCES/0265-10_linux_bls-don-t-add-users-option-to-generated-men.patch new file mode 100644 index 0000000..5b5ecdc --- /dev/null +++ b/SOURCES/0265-10_linux_bls-don-t-add-users-option-to-generated-men.patch @@ -0,0 +1,37 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Thu, 28 Mar 2019 16:34:42 +0100 +Subject: [PATCH] 10_linux_bls: don't add --users option to generated menu + entries + +The generated menu entries have a --users $grub_users option but this will +fail on old versions of GRUB, since it expects the --users option argument +to either be a constant or a variable that has been set. + +The latest GRUB version fix this but the GRUB core isn't updated on a GRUB +package update, so this will cause the entries to not be shown in the menu +after a system upgrade. + +Since can cause issues and because the entries that weren't generated from +the BLS snippets didn't have the --users option either, just don't add it. + +Resolves: rhbz#1755815 + +Signed-off-by: Javier Martinez Canillas +--- + util/grub.d/10_linux_bls.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/util/grub.d/10_linux_bls.in b/util/grub.d/10_linux_bls.in +index 8e07a79322b..855dbdd190b 100644 +--- a/util/grub.d/10_linux_bls.in ++++ b/util/grub.d/10_linux_bls.in +@@ -180,7 +180,7 @@ populate_menu() + for bls in "${files[@]}" ; do + read_config "${blsdir}/${bls}.conf" + +- menu="${menu}menuentry '${title}' --class ${grub_class} ${grub_arg} --users ${grub_users} --id=${bls} {\n" ++ menu="${menu}menuentry '${title}' --class ${grub_class} ${grub_arg} --id=${bls} {\n" + menu="${menu}\t linux ${linux} ${options}\n" + if [ -n "${initrd}" ] ; then + menu="${menu}\t initrd ${boot_prefix}${initrd}\n" diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der deleted file mode 100644 index 44a2563..0000000 Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ diff --git a/SOURCES/centossecureboot001.crt b/SOURCES/centossecureboot001.crt deleted file mode 100644 index 321c4ec..0000000 --- a/SOURCES/centossecureboot001.crt +++ /dev/null @@ -1,81 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - b6:16:15:71:72:fb:31:7e - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN=CentOS Secure Boot (CA key 1)/emailAddress=security@centos.org - Validity - Not Before: Aug 1 11:47:30 2018 GMT - Not After : Dec 31 11:47:30 2037 GMT - Subject: CN=CentOS Secure Boot (key 1)/emailAddress=security@centos.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:c1:a3:6a:f4:2d:71:83:6c:21:ca:0c:b7:ac:fa: - 76:80:43:03:40:87:5d:de:e9:1e:df:ad:e7:2b:51: - cb:f8:31:0f:9a:db:ab:23:25:04:11:05:57:7d:f2: - 4b:8d:1e:b3:75:78:1d:b9:57:8b:18:0b:bb:7e:e3: - 24:0f:6a:40:5f:2b:4f:03:a5:85:94:d2:f9:08:a0: - bc:db:a5:ea:4f:7f:e8:7c:d1:a9:f8:f0:9c:25:18: - 00:14:c4:c4:35:7d:1d:4c:8a:8d:95:f8:ed:65:97: - a5:a4:da:7d:cb:f0:33:3b:b7:03:94:68:47:05:57: - 6c:96:91:ac:14:f2:e3:f6:6d:4a:18:cf:68:8a:35: - 6f:8e:26:99:7f:db:c9:83:54:c2:c3:bf:ad:45:a0: - aa:a0:86:5f:20:b1:86:1b:ae:b7:28:15:11:f9:65: - 53:5d:70:33:9b:a3:c7:b5:c8:11:ff:55:3b:e7:46: - f1:6c:6b:8c:bb:f2:9f:36:23:b1:2d:23:2f:8f:4f: - 6c:a8:cc:ae:f5:56:9e:22:6c:0e:9a:4a:b1:bd:b2: - 76:15:5c:05:85:b8:5e:dc:8c:a5:c3:e0:75:51:a4: - 94:9b:03:2e:7b:f8:d3:b9:dd:7f:88:ce:2e:2f:28: - 4c:b4:92:2f:e6:e0:67:0a:d0:ff:c5:d2:79:a6:ef: - 94:0f - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Key Usage: - Digital Signature - X509v3 Subject Key Identifier: - F0:37:C6:EA:EC:36:D4:05:7A:52:6C:0E:C6:D5:A9:5B:32:4E:E1:29 - X509v3 Authority Key Identifier: - keyid:54:EC:81:85:89:3E:E9:1A:DB:08:F7:44:88:54:7E:8E:3F:74:3A:F3 - - Signature Algorithm: sha256WithRSAEncryption - 97:97:ba:a6:0b:5b:bb:84:39:2e:ef:8b:51:9a:89:bb:65:3c: - dc:15:d0:5a:88:c5:af:ce:93:f5:c1:74:98:15:59:a9:38:da: - 11:fd:46:d5:4f:23:7c:03:1f:ae:0c:70:93:94:a7:61:2f:4b: - 2f:5f:bb:cc:8a:d7:4a:24:66:73:85:b4:19:13:fc:6a:61:4a: - 28:1f:a2:38:f4:72:90:03:c4:3e:64:63:8b:fb:15:22:22:4e: - b9:43:d9:b4:3d:3a:60:c1:4d:3a:09:85:68:7a:bc:3b:f9:ef: - f3:f5:e9:c9:4f:80:8c:c6:e9:cb:ef:28:44:b0:5d:d4:9e:4f: - 0f:02:9a:65:aa:98:35:b4:6f:d2:80:e3:08:ef:12:d0:17:56: - a6:a1:42:1e:1d:ab:e5:33:c0:fd:88:0d:40:42:81:c8:27:30: - 17:07:57:3e:05:9d:aa:05:0e:5b:3a:79:b4:29:aa:7c:42:5a: - ad:43:59:fb:34:4d:dc:62:58:63:e4:fb:de:bb:fd:6c:4e:97: - 58:f4:b9:99:4a:71:fe:7f:16:50:55:25:46:39:96:9b:88:6c: - 75:19:33:9e:70:b3:04:82:fe:16:a8:8e:22:47:83:6d:16:77: - da:26:ad:31:d8:06:6d:c5:7e:46:4b:21:ab:ae:ec:2a:93:71: - da:7f:89:1d ------BEGIN CERTIFICATE----- -MIIDdTCCAl2gAwIBAgIJALYWFXFy+zF+MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV -BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB -FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE4MDgwMTExNDczMFoXDTM3MTIzMTEx -NDczMFowSTEjMCEGA1UEAxMaQ2VudE9TIFNlY3VyZSBCb290IChrZXkgMSkxIjAg -BgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDBo2r0LXGDbCHKDLes+naAQwNAh13e6R7frecrUcv4 -MQ+a26sjJQQRBVd98kuNHrN1eB25V4sYC7t+4yQPakBfK08DpYWU0vkIoLzbpepP -f+h80an48JwlGAAUxMQ1fR1Mio2V+O1ll6Wk2n3L8DM7twOUaEcFV2yWkawU8uP2 -bUoYz2iKNW+OJpl/28mDVMLDv61FoKqghl8gsYYbrrcoFRH5ZVNdcDObo8e1yBH/ -VTvnRvFsa4y78p82I7EtIy+PT2yozK71Vp4ibA6aSrG9snYVXAWFuF7cjKXD4HVR -pJSbAy57+NO53X+Izi4vKEy0ki/m4GcK0P/F0nmm75QPAgMBAAGjXTBbMAwGA1Ud -EwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBTwN8bq7DbUBXpSbA7G1alb -Mk7hKTAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q68zANBgkqhkiG9w0B -AQsFAAOCAQEAl5e6pgtbu4Q5Lu+LUZqJu2U83BXQWojFr86T9cF0mBVZqTjaEf1G -1U8jfAMfrgxwk5SnYS9LL1+7zIrXSiRmc4W0GRP8amFKKB+iOPRykAPEPmRji/sV -IiJOuUPZtD06YMFNOgmFaHq8O/nv8/XpyU+AjMbpy+8oRLBd1J5PDwKaZaqYNbRv -0oDjCO8S0BdWpqFCHh2r5TPA/YgNQEKByCcwFwdXPgWdqgUOWzp5tCmqfEJarUNZ -+zRN3GJYY+T73rv9bE6XWPS5mUpx/n8WUFUlRjmWm4hsdRkznnCzBIL+FqiOIkeD -bRZ32iatMdgGbcV+Rkshq67sKpNx2n+JHQ== ------END CERTIFICATE----- diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros index 07f4114..1e3705f 100644 --- a/SOURCES/grub.macros +++ b/SOURCES/grub.macros @@ -17,7 +17,6 @@ %global cflags_sed \\\ sed \\\ -e 's/-O. //g' \\\ - -e 's/-g /-g3 /g' \\\ -e 's/-fplugin=annobin //g' \\\ -e 's,-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 ,,g' \\\ -e 's/-fstack-protector[[:alpha:]-]\\+//g' \\\ @@ -29,25 +28,44 @@ -e 's/^/ -fno-strict-aliasing /' \\\ %{nil} -%global host_cflags %{expand:%%(echo %{optflags} | %{cflags_sed})} -%global target_cflags %{expand:%%(echo %{optflags} | %{cflags_sed})} -%global legacy_target_cflags \\\ - %{expand:%%(echo %{target_cflags} | \\\ +%global host_cflags %{expand:%%(echo %{build_cflags} %{?_hardening_cflags} | %{cflags_sed})} +%global legacy_host_cflags \\\ + %{expand:%%(echo %{host_cflags} | \\\ %{cflags_sed} \\\ -e 's/-m64//g' \\\ -e 's/-mcpu=power[[:alnum:]]\\+/-mcpu=power6/g' \\\ )} -%global legacy_host_cflags \\\ - %{expand:%%(echo %{host_cflags} | \\\ +%global efi_host_cflags %{expand:%%(echo %{host_cflags})} + +%global target_cflags %{expand:%%(echo %{build_cflags} | %{cflags_sed})} +%global legacy_target_cflags \\\ + %{expand:%%(echo %{target_cflags} | \\\ %{cflags_sed} \\\ -e 's/-m64//g' \\\ -e 's/-mcpu=power[[:alnum:]]\\+/-mcpu=power6/g' \\\ )} - -%global efi_host_cflags %{expand:%%(echo %{host_cflags})} %global efi_target_cflags %{expand:%%(echo %{target_cflags})} +%global ldflags_sed \\\ + sed \\\ + -e 's/^$//' \\\ + %{nil} + +%global host_ldflags %{expand:%%(echo %{build_ldflags} %{?_hardening_ldflags} | %{ldflags_sed})} +%global legacy_host_ldflags \\\ + %{expand:%%(echo %{host_ldflags} | \\\ + %{ldflags_sed} \\\ + )} +%global efi_host_ldflags %{expand:%%(echo %{host_ldflags})} + +%global target_ldflags %{expand:%%(echo %{build_ldflags} -static | %{ldflags_sed})} +%global legacy_target_ldflags \\\ + %{expand:%%(echo %{target_ldflags} | \\\ + %{ldflags_sed} \\\ + )} +%global efi_target_ldflags %{expand:%%(echo %{target_ldflags})} + %global with_efi_arch 0 %global with_alt_efi_arch 0 %global with_legacy_arch 0 @@ -314,11 +332,12 @@ PYTHON=python3 ./autogen.sh \ %define do_efi_configure() \ %configure \\\ %{cc_equals} \\\ - HOST_CFLAGS="%{3} -I$(pwd)" \\\ - HOST_CPPFLAGS="${CPPFLAGS} -I$(pwd)" \\\ - TARGET_CFLAGS="%{2} -I$(pwd)" \\\ - TARGET_CPPFLAGS="${CPPFLAGS} -I$(pwd)" \\\ - TARGET_LDFLAGS=-static \\\ + HOST_CFLAGS="%{3}" \\\ + HOST_CPPFLAGS="-I$(pwd)" \\\ + HOST_LDFLAGS="%{efi_host_ldflags}" \\\ + TARGET_CFLAGS="%{2}" \\\ + TARGET_CPPFLAGS="-I$(pwd)" \\\ + TARGET_LDFLAGS="%{efi_target_ldflags}" \\\ --with-platform=efi \\\ --with-utils=host \\\ --target=%{1} \\\ @@ -401,9 +420,12 @@ cd .. \ cd grub-%{1}-%{tarversion} \ %configure \\\ %{cc_equals} \\\ - HOST_CFLAGS="%{legacy_host_cflags} -I$(pwd)" \\\ - TARGET_CFLAGS="%{legacy_target_cflags} -I$(pwd)" \\\ - TARGET_LDFLAGS=-static \\\ + HOST_CFLAGS="%{legacy_host_cflags}" \\\ + HOST_CPPFLAGS="-I$(pwd)" \\\ + HOST_LDFLAGS="%{legacy_host_ldflags}" \\\ + TARGET_CFLAGS="%{legacy_target_cflags}" \\\ + TARGET_CPPFLAGS="-I$(pwd)" \\\ + TARGET_LDFLAGS="%{legacy_target_ldflags}" \\\ --with-platform=%{platform} \\\ --with-utils=host \\\ --target=%{_target_platform} \\\ @@ -412,7 +434,7 @@ cd grub-%{1}-%{tarversion} \ --disable-grub-mount \\\ --disable-werror || ( cat config.log ; exit 1 ) \ git add . \ -git commit -m "After legacy configure" \ +git commit -m "After legacy configure" \ make %{?_smp_mflags} \ cd .. \ %{nil} @@ -532,7 +554,7 @@ touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg \ %dir %attr(0700,root,root)%{efi_esp_dir}/fonts \ %dir %attr(0700,root,root)/boot/loader/entries \ %ghost %config(noreplace) %attr(0700,root,root)%{efi_esp_dir}/grub.cfg \ -/boot/grub2/grubenv \ +%config(noreplace) /boot/grub2/grubenv \ %ghost %config(noreplace) %attr(0700,root,root)%{efi_esp_dir}/grubenv \ %{expand:%if 0%{?without_efi_modules} \ %exclude %{_libdir}/grub/%{6} \ diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches index 558efbe..68fc691 100644 --- a/SOURCES/grub.patches +++ b/SOURCES/grub.patches @@ -256,3 +256,10 @@ Patch0255: 0255-Make-grub2-mkconfig-to-honour-GRUB_CMDLINE_LINUX-in-.patch Patch0256: 0256-grub-boot-success.timer-Add-a-few-Conditions-for-run.patch Patch0257: 0257-docs-Stop-using-polkit-pkexec-for-grub-boot-success..patch Patch0258: 0258-Fix-the-looking-up-grub.cfg-XXX-while-tftp-booting.patch +Patch0259: 0259-HTTP-boot-strncmp-returns-0-on-equal.patch +Patch0260: 0260-Don-t-duplicate-net-name-string-if-not-needed.patch +Patch0261: 0261-Try-to-set-fPIE-and-friends-on-libgnu.a.patch +Patch0262: 0262-blscfg-fallback-to-default_kernelopts-if-BLS-option-.patch +Patch0263: 0263-Remove-bogus-load_env-after-blscfg-command-in-10_lin.patch +Patch0264: 0264-10_linux_bls-use-to-separate-id-argument-due-a-Petit.patch +Patch0265: 0265-10_linux_bls-don-t-add-users-option-to-generated-men.patch diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec index 93db856..361f0b7 100644 --- a/SPECS/grub2.spec +++ b/SPECS/grub2.spec @@ -7,7 +7,7 @@ Name: grub2 Epoch: 1 Version: 2.02 -Release: 66%{?dist}.1 +Release: 78%{?dist} Summary: Bootloader with support for Linux, Multiboot and more Group: System Environment/Base License: GPLv3+ @@ -24,8 +24,8 @@ Source6: gitignore Source8: strtoull_test.c Source9: 20-grub.install Source12: 99-grub-mkconfig.install -Source13: centos-ca-secureboot.der -Source14: centossecureboot001.crt +Source13: securebootca.cer +Source14: secureboot.cer %include %{SOURCE1} @@ -52,11 +52,7 @@ BuildRequires: pesign >= 0.99-8 BuildRequires: ccache %endif -%if 0%{?centos} -%global efidir centos -%endif - -ExcludeArch: s390 s390x +ExcludeArch: s390 s390x %{arm} Obsoletes: %{name} <= %{evr} %if 0%{with_legacy_arch} @@ -168,10 +164,10 @@ git commit -m "After making subdirs" %build %if 0%{with_efi_arch} -%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001} +%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301} %endif %if 0%{with_alt_efi_arch} -%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001} +%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301} %endif %if 0%{with_legacy_arch} %{expand:%do_legacy_build %%{grublegacyarch}} @@ -502,12 +498,54 @@ fi %endif %changelog -* Tue Sep 10 2019 CentOS Sources - 2.02-66.el8.centos.1 -- Apply debranding changes +* Thu Sep 26 2019 Javier Martinez Canillas - 2.02-77 +- 10_linux_bls: don't add --users option to generated menu entries + Resolves: rhbz#1755815 -* Fri Aug 23 2019 Javier Martinez Canillas - 2.02-66.el8_0.1 +* Fri Aug 09 2019 Javier Martinez Canillas - 2.02-76 - Include regexp module in EFI builds - Resolves: rhbz#1743549 + Resolves: rhbz#1737670 + +* Wed Jun 19 2019 Javier Martinez Canillas - 2.02-75 +- Fix setting default entry on ppc64le when using OPAL + Resolves: rhbz#1721815 + +* Tue Jun 04 2019 Sergio Durigan Junior - 2.02-74 +- Use '-g' instead of '-g3' when compiling grub2. + Related: rhbz#1653961 + +* Wed May 29 2019 Peter Jones - 2.02-73 +- Rebuild once again to try to get rpmdiff happy. + Related: rhbz#1653961 + +* Mon May 27 2019 Javier Martinez Canillas - 2.02-72 +- Build with the correct target + Related: rhbz#1653961 + +* Fri May 24 2019 Peter Jones - 2.02-71 +- Fix (a fourth time, due to a typo) how LDFLAGS works on non-efi platforms. + Related: rhbz#1653961 + +* Thu May 23 2019 Peter Jones - 2.02-70 +- Fix (once again) how CFLAGS and LDFLAGS propogate the settings for hardened + builds, because rpmdiff doesn't like the current way failing. + Related: rhbz#1653961 + +* Tue May 21 2019 Javier Martinez Canillas - 2.02-69 +- Enable package gating + Resolves: rhbz#1653961 + +* Mon May 20 2019 Javier Martinez Canillas - 2.02-68 +- Avoid grub2-efi package to overwrite existing /boot/grub2/grubenv file + Resolves: rhbz#1680572 +- Try to set -fPIE and friends on libgnu.a (pjones) +- blscfg: fallback to default_kernelopts if BLS option field isn't set + Related: rhbz#1680572 +- Remove bogus load_env after blscfg command in 10_linux + +* Mon Apr 29 2019 Javier Martinez Canillas - 2.02-67 +- Fix failure to request grub.cfg over HTTP + Resolves: rhbz#1490991 * Wed Dec 19 2018 Javier Martinez Canillas - 2.02-66 - Fix grub.cfg-XXX look up when booting over TFTP