From 06e51d2a652884f3ef8b8fc97b3f9e7b2e41cc44 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 21 Nov 2022 19:58:18 +0000 Subject: [PATCH] Forward-port ppc64le image creation (with nerfed signing) Signed-off-by: Robbie Harwood --- grub.macros | 126 +++++++++++++++++++++++++++++++++++++++++----------- grub2.spec | 8 +++- 2 files changed, 106 insertions(+), 28 deletions(-) diff --git a/grub.macros b/grub.macros index 9fb2d9b..34f2934 100644 --- a/grub.macros +++ b/grub.macros @@ -77,6 +77,7 @@ %global emuarch %{_arch} %global grubefiarch %{nil} %global grublegacyarch %{nil} +%global grubelfname %{nil} # sparc is always compiled 64 bit %ifarch %{sparc} @@ -116,11 +117,20 @@ %{!?with_efi_only:%global without_efi_only 0} %{?with_efi_only:%global without_efi_only 1} -### fixme +%ifarch %{efi_arch} +%global efi_modules " efi_netfs efifwsetup efinet lsefi lsefimmap connectefi " +%endif + +%ifarch x86_64 %{ix86} +%global platform_modules " backtrace chain tpm usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard " +%endif + +%ifarch ppc64le +%global platform_modules " appendedsig tpm ofnet " +%endif + %ifarch aarch64 %{arm} riscv64 -%global efi_modules " " -%else -%global efi_modules " backtrace chain tpm usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard connectefi " +%global platform_modules " " %endif %ifarch aarch64 %{arm} riscv64 @@ -220,6 +230,7 @@ %global with_legacy_arch 1 %global grublegacyarch %{legacy_target_cpu_name}-%{platform} %global moduledir %{legacy_target_cpu_name}-%{platform} +%global grubelfname core.elf %endif %global evr %{epoch}:%{version}-%{release} @@ -380,14 +391,31 @@ install -m 644 %{1}.conf ${RPM_BUILD_ROOT}/etc/dnf/protected.d/ \ rm -f %{1}.conf \ %{nil} +%global grub_modules " all_video boot blscfg btrfs \\\ + cat configfile cryptodisk \\\ + echo ext2 f2fs fat font \\\ + gcry_rijndael gcry_rsa gcry_serpent \\\ + gcry_sha256 gcry_twofish gcry_whirlpool \\\ + gfxmenu gfxterm gzio \\\ + halt hfsplus http increment iso9660 \\\ + jpeg loadenv loopback linux lvm luks \\\ + luks2 mdraid09 mdraid1x minicmd net \\\ + normal part_apple part_msdos part_gpt \\\ + password_pbkdf2 pgp png reboot regexp \\\ + search search_fs_uuid search_fs_file \\\ + search_label serial sleep syslinuxcfg \\\ + test tftp version video xfs zstd " \ + %ifarch x86_64 aarch64 %{arm} riscv64 -%define mkimage() \ +%define efi_mkimage() \ %{4}./grub-mkimage -O %{1} -o %{2}.orig \\\ - -p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES} \\\ - --sbat %{4}./sbat.csv \ + -p /EFI/%{efi_vendor} -d grub-core \\\ + --sbat %{4}./sbat.csv \\\ + ${GRUB_MODULES} \ %{4}./grub-mkimage -O %{1} -o %{3}.orig \\\ - -p /EFI/BOOT -d grub-core ${GRUB_MODULES} \\\ - --sbat %{4}./sbat.csv \ + -p /EFI/BOOT -d grub-core \\\ + --sbat %{4}./sbat.csv \\\ + ${GRUB_MODULES} \ %{expand:%%define ___pesign_client_cert %{?___pesign_client_cert}%{!?___pesign_client_cert:%{__pesign_client_cert}}} \ %{?__pesign_client_cert:%{expand:%%define __pesign_client_cert %{___pesign_client_cert}}} \ %{expand:%%{pesign -s -i %%{2}.orig -o %%{2}.onesig -a %%{5} -c %%{6} -n %%{7}}} \ @@ -397,31 +425,65 @@ rm -f %{1}.conf \ %{expand:%%{pesign -s -i %%{3}.onesig -o %%{3} -a %%{5} -c %%{6} -n %%{7}}} \ %{nil} %else -%define mkimage() \ +%define efi_mkimage() \ %{4}./grub-mkimage -O %{1} -o %{2} \\\ - -p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES} \ + -p /EFI/%{efi_vendor} -d grub-core \\\ + ${GRUB_MODULES} \ %{4}./grub-mkimage -O %{1} -o %{3} \\\ - -p /EFI/BOOT -d grub-core ${GRUB_MODULES} \ + -p /EFI/BOOT -d grub-core \\\ + ${GRUB_MODULES} \ %{nil} %endif +%ifarch ppc64le +%if 0%{?rhel} +%define ieee1275_mkimage() \ +APPENDED_SIG_SIZE=0 \ +if [ -x /usr/bin/rpm-sign ]; then \ + touch empty.unsigned \ + rpm-sign --key %{4} \\\ + --lkmsign empty.unsigned \\\ + --output empty.signed \ + APPENDED_SIG_SIZE="$(stat -c '%s' empty.signed)" \ + rm empty.{un,}signed \ +fi \ +# FIXME: using this prefix is fragile, must be done properly \ +./grub-mkimage -O %{1} -o %{2}.orig \\\ + -p '/grub2' -d grub-core \\\ + -x %{3} \\\ + --appended-signature-size ${APPENDED_SIG_SIZE} \\\ + ${GRUB_MODULES} \ +if [ -x /usr/bin/rpm-sign ]; then \ + truncate -s -${APPENDED_SIG_SIZE} %{2}.orig \ + rpm-sign --key %{4} \\\ + --lkmsign %{2}.orig \\\ + --output %{2} \ +else \ + mv %{2}.orig %{2} \ +fi \ +%{nil} +%else +# Fedora et al. +%define ieee1275_mkimage() \ +./grub-mkimage -O %{1} -o %{2}.orig -p '/grub2' -d grub-core ${GRUB_MODULES} \ +mv %{2}.orig %{2} +%{nil} +%endif +%endif + %define do_efi_build_images() \ -GRUB_MODULES=" all_video boot blscfg btrfs \\\ - cat configfile cryptodisk \\\ - echo efi_netfs efifwsetup efinet ext2 f2fs \\\ - fat font gcry_rijndael gcry_rsa gcry_serpent \\\ - gcry_sha256 gcry_twofish gcry_whirlpool \\\ - gfxmenu gfxterm gzio \\\ - halt hfsplus http increment iso9660 jpeg \\\ - loadenv loopback linux lvm lsefi lsefimmap luks \\\ - luks2 mdraid09 mdraid1x minicmd net \\\ - normal part_apple part_msdos part_gpt \\\ - password_pbkdf2 pgp png read reboot \\\ - regexp search search_fs_uuid search_fs_file \\\ - search_label serial sleep syslinuxcfg test tftp \\\ - version video xfs zstd " \ +GRUB_MODULES+=%{grub_modules} \ GRUB_MODULES+=%{efi_modules} \ -%{expand:%%{mkimage %{1} %{2} %{3} %{4}}} \ +GRUB_MODULES+=%{platform_modules} \ +%{expand:%%{efi_mkimage %{1} %{2} %{3} %{4}}} \ +%{nil} + +%define do_ieee1275_build_images() \ +GRUB_MODULES+=%{grub_modules} \ +GRUB_MODULES+=%{platform_modules} \ +cd grub-%{1}-%{tarversion} \ +%{expand:%%ieee1275_mkimage %%{1} %%{2} %%{3} %%{4}} \ +cd .. \ %{nil} %define do_primary_efi_build() \ @@ -536,6 +598,9 @@ fi \ if [ -f $RPM_BUILD_ROOT%{_infodir}/grub-dev.info ]; then \ rm -f $RPM_BUILD_ROOT%{_infodir}/grub-dev.info \ fi \ +%{expand:%ifarch ppc64le \ + install -m 700 %{grubelfname} $RPM_BUILD_ROOT/%{_libdir}/grub/%{1} \ +%endif} \ if [ -f $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/grub2.chrp ]; then \ mv $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/grub2.chrp \\\ $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/grub.chrp \ @@ -595,12 +660,19 @@ ln -s ../boot/grub2/grub.cfg \\\ %ghost %config(noreplace) %attr(0700,root,root)/boot/grub2/grub.cfg \ %dir %attr(0700,root,root)/boot/loader/entries \ %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/grub2-%{1}.conf \ +%ifarch ppc64le \ +%dir %{_libdir}/grub/%{2}/ \ +%{_libdir}/grub/%{2}/%{grubelfname} \ +%endif \ \ %{expand:%if 0%{?with_legacy_modules} \ %{expand:%%files %{1}-modules} \ %defattr(-,root,root) \ %dir %{_libdir}/grub/%{2}/ \ %{_libdir}/grub/%{2}/* \ +%ifarch ppc64le \ +%exclude %{_libdir}/grub/%{2}/%{grubelfname} \ +%endif \ %exclude %{_libdir}/grub/%{2}/*.module \ %exclude %{_libdir}/grub/%{2}/{boot,boot_hybrid,cdboot,diskboot,lzma_decompress,pxeboot}.image \ %exclude %{_libdir}/grub/%{2}/*.o \ diff --git a/grub2.spec b/grub2.spec index 9022dcb..386350d 100644 --- a/grub2.spec +++ b/grub2.spec @@ -17,7 +17,7 @@ Name: grub2 Epoch: 1 Version: 2.06 -Release: 63%{?dist} +Release: 64%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -210,6 +210,9 @@ git commit -m "After making subdirs" %if 0%{with_emu_arch} %{expand:%do_emu_build} %endif +%ifarch ppc64le +%{expand:%do_ieee1275_build_images %%{grublegacyarch} %{grubelfname} %{sb_cer} %{sb_key}} +%endif makeinfo --info --no-split -I docs -o docs/grub-dev.info \ docs/grub-dev.texi makeinfo --info --no-split -I docs -o docs/grub.info \ @@ -529,6 +532,9 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg %endif %changelog +* Mon Nov 21 2022 Robbie Harwood - 1:2.06-64 +- Forward-port ppc64le image creation (with nerfed signing) + * Tue Nov 08 2022 Robbie Harwood - 1:2.06-63 - Font fixes (CVE-2022-2601 batch)