Forward-port ppc64le image creation (with nerfed signing)

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2022-11-21 19:58:18 +00:00 · 2022-11-21 19:58:18 +00:00 · 06e51d2a65
commit 06e51d2a65
parent 3972172d4d
2 changed files with 106 additions and 28 deletions
--- a/grub.macros
+++ b/grub.macros
@ -77,6 +77,7 @@
 %global emuarch %{_arch}
 %global grubefiarch %{nil}
 %global grublegacyarch %{nil}
+%global grubelfname %{nil}

 # sparc is always compiled 64 bit
 %ifarch %{sparc}
@ -116,11 +117,20 @@
 %{!?with_efi_only:%global without_efi_only 0}
 %{?with_efi_only:%global without_efi_only 1}

-### fixme
+%ifarch %{efi_arch}
+%global efi_modules " efi_netfs efifwsetup efinet lsefi lsefimmap connectefi "
+%endif
+
+%ifarch x86_64 %{ix86}
+%global platform_modules " backtrace chain tpm usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard "
+%endif
+
+%ifarch ppc64le
+%global platform_modules " appendedsig tpm ofnet "
+%endif
+
 %ifarch aarch64 %{arm} riscv64
-%global efi_modules " "
-%else
-%global efi_modules " backtrace chain tpm usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard connectefi "
+%global platform_modules " "
 %endif

 %ifarch aarch64 %{arm} riscv64
@ -220,6 +230,7 @@
 %global with_legacy_arch 1
 %global grublegacyarch %{legacy_target_cpu_name}-%{platform}
 %global moduledir %{legacy_target_cpu_name}-%{platform}
+%global grubelfname core.elf
 %endif

 %global evr %{epoch}:%{version}-%{release}
@ -380,14 +391,31 @@ install -m 644 %{1}.conf ${RPM_BUILD_ROOT}/etc/dnf/protected.d/ \
 rm -f %{1}.conf							\
 %{nil}

+%global grub_modules  " all_video boot blscfg btrfs		\\\
+			cat configfile cryptodisk		\\\
+			echo ext2 f2fs fat font			\\\
+			gcry_rijndael gcry_rsa gcry_serpent	\\\
+			gcry_sha256 gcry_twofish gcry_whirlpool	\\\
+			gfxmenu gfxterm gzio			\\\
+			halt hfsplus http increment iso9660	\\\
+			jpeg loadenv loopback linux lvm luks	\\\
+			luks2 mdraid09 mdraid1x minicmd net	\\\
+			normal part_apple part_msdos part_gpt	\\\
+			password_pbkdf2 pgp png reboot regexp	\\\
+			search search_fs_uuid search_fs_file	\\\
+			search_label serial sleep syslinuxcfg	\\\
+			test tftp version video xfs zstd "	\
+
 %ifarch x86_64 aarch64 %{arm} riscv64
-%define mkimage()						\
+%define efi_mkimage()						\
 %{4}./grub-mkimage -O %{1} -o %{2}.orig				\\\
-	-p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES}	\\\
-	--sbat %{4}./sbat.csv					\
+	-p /EFI/%{efi_vendor} -d grub-core			\\\
+	--sbat %{4}./sbat.csv					\\\
+	${GRUB_MODULES}						\
 %{4}./grub-mkimage -O %{1} -o %{3}.orig				\\\
-	-p /EFI/BOOT -d grub-core ${GRUB_MODULES}		\\\
-	--sbat %{4}./sbat.csv					\
+	-p /EFI/BOOT -d grub-core				\\\
+	--sbat %{4}./sbat.csv					\\\
+	${GRUB_MODULES}						\
 %{expand:%%define ___pesign_client_cert %{?___pesign_client_cert}%{!?___pesign_client_cert:%{__pesign_client_cert}}} \
 %{?__pesign_client_cert:%{expand:%%define __pesign_client_cert %{___pesign_client_cert}}} \
 %{expand:%%{pesign -s -i %%{2}.orig -o %%{2}.onesig -a %%{5} -c %%{6} -n %%{7}}}	\
@ -397,31 +425,65 @@ rm -f %{1}.conf							\
 %{expand:%%{pesign -s -i %%{3}.onesig -o %%{3} -a %%{5} -c %%{6} -n %%{7}}}	\
 %{nil}
 %else
-%define mkimage()						\
+%define efi_mkimage()						\
 %{4}./grub-mkimage -O %{1} -o %{2}				\\\
-	-p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES}	\
+	-p /EFI/%{efi_vendor} -d grub-core			\\\
+	${GRUB_MODULES}						\
 %{4}./grub-mkimage -O %{1} -o %{3}				\\\
-	-p /EFI/BOOT -d grub-core ${GRUB_MODULES}		\
+	-p /EFI/BOOT -d grub-core				\\\
+	${GRUB_MODULES}						\
 %{nil}
 %endif

+%ifarch ppc64le
+%if 0%{?rhel}
+%define ieee1275_mkimage()					\
+APPENDED_SIG_SIZE=0						\
+if [ -x /usr/bin/rpm-sign ]; then				\
+	touch empty.unsigned					\
+	rpm-sign --key %{4}					\\\
+		 --lkmsign empty.unsigned			\\\
+		 --output empty.signed				\
+	APPENDED_SIG_SIZE="$(stat -c '%s' empty.signed)"	\
+	rm empty.{un,}signed					\
+fi								\
+# FIXME: using this prefix is fragile, must be done properly	\
+./grub-mkimage -O %{1} -o %{2}.orig				\\\
+	-p '/grub2' -d grub-core				\\\
+	-x %{3}							\\\
+	--appended-signature-size ${APPENDED_SIG_SIZE}		\\\
+	${GRUB_MODULES}						\
+if [ -x /usr/bin/rpm-sign ]; then				\
+	truncate -s -${APPENDED_SIG_SIZE} %{2}.orig		\
+	rpm-sign --key %{4}					\\\
+		 --lkmsign %{2}.orig				\\\
+		 --output %{2}					\
+else								\
+	mv %{2}.orig %{2}					\
+fi								\
+%{nil}
+%else
+# Fedora et al.
+%define ieee1275_mkimage()					\
+./grub-mkimage -O %{1} -o %{2}.orig -p '/grub2' -d grub-core ${GRUB_MODULES} \
+mv %{2}.orig %{2}
+%{nil}
+%endif
+%endif
+
 %define do_efi_build_images()					\
-GRUB_MODULES="	all_video boot blscfg btrfs			\\\
-		cat configfile cryptodisk			\\\
-		echo efi_netfs efifwsetup efinet ext2 f2fs	\\\
-		fat font gcry_rijndael gcry_rsa gcry_serpent 	\\\
-		gcry_sha256 gcry_twofish gcry_whirlpool   	\\\
-		gfxmenu gfxterm gzio				\\\
-		halt hfsplus http increment iso9660 jpeg	\\\
-		loadenv loopback linux lvm lsefi lsefimmap luks	\\\
-		luks2 mdraid09 mdraid1x minicmd net		\\\
-		normal part_apple part_msdos part_gpt		\\\
-		password_pbkdf2 pgp png read reboot		\\\
-		regexp search search_fs_uuid search_fs_file	\\\
-		search_label serial sleep syslinuxcfg test tftp	\\\
-		version video xfs zstd "			\
+GRUB_MODULES+=%{grub_modules}					\
 GRUB_MODULES+=%{efi_modules}					\
-%{expand:%%{mkimage %{1} %{2} %{3} %{4}}}			\
+GRUB_MODULES+=%{platform_modules}				\
+%{expand:%%{efi_mkimage %{1} %{2} %{3} %{4}}}			\
+%{nil}
+
+%define do_ieee1275_build_images()			\
+GRUB_MODULES+=%{grub_modules}				\
+GRUB_MODULES+=%{platform_modules}			\
+cd grub-%{1}-%{tarversion}				\
+%{expand:%%ieee1275_mkimage %%{1} %%{2} %%{3} %%{4}}	\
+cd ..							\
 %{nil}

 %define do_primary_efi_build()					\
@ -536,6 +598,9 @@ fi								\
 if [ -f $RPM_BUILD_ROOT%{_infodir}/grub-dev.info ]; then	\
 	rm -f $RPM_BUILD_ROOT%{_infodir}/grub-dev.info		\
 fi								\
+%{expand:%ifarch ppc64le					\
+	install -m 700 %{grubelfname} $RPM_BUILD_ROOT/%{_libdir}/grub/%{1} \
+%endif}								\
 if [ -f $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/grub2.chrp ]; then \
 	mv $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/grub2.chrp	\\\
 	   $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/grub.chrp	\
@ -595,12 +660,19 @@ ln -s ../boot/grub2/grub.cfg					\\\
 %ghost %config(noreplace) %attr(0700,root,root)/boot/grub2/grub.cfg	\
 %dir %attr(0700,root,root)/boot/loader/entries			\
 %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/grub2-%{1}.conf \
+%ifarch ppc64le							\
+%dir %{_libdir}/grub/%{2}/					\
+%{_libdir}/grub/%{2}/%{grubelfname}				\
+%endif								\
 								\
 %{expand:%if 0%{?with_legacy_modules}				\
 %{expand:%%files %{1}-modules}					\
 %defattr(-,root,root)						\
 %dir %{_libdir}/grub/%{2}/					\
 %{_libdir}/grub/%{2}/*						\
+%ifarch ppc64le							\
+%exclude %{_libdir}/grub/%{2}/%{grubelfname}			\
+%endif								\
 %exclude %{_libdir}/grub/%{2}/*.module				\
 %exclude %{_libdir}/grub/%{2}/{boot,boot_hybrid,cdboot,diskboot,lzma_decompress,pxeboot}.image \
 %exclude %{_libdir}/grub/%{2}/*.o				\
--- a/grub2.spec
+++ b/grub2.spec
@ -17,7 +17,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.06
-Release:	63%{?dist}
+Release:	64%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@ -210,6 +210,9 @@ git commit -m "After making subdirs"
 %if 0%{with_emu_arch}
 %{expand:%do_emu_build}
 %endif
+%ifarch ppc64le
+%{expand:%do_ieee1275_build_images %%{grublegacyarch} %{grubelfname} %{sb_cer} %{sb_key}}
+%endif
 makeinfo --info --no-split -I docs -o docs/grub-dev.info \
 	docs/grub-dev.texi
 makeinfo --info --no-split -I docs -o docs/grub.info \
@ -529,6 +532,9 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 %endif

 %changelog
+* Mon Nov 21 2022 Robbie Harwood <rharwood@redhat.com> - 1:2.06-64
+- Forward-port ppc64le image creation (with nerfed signing)
+
 * Tue Nov 08 2022 Robbie Harwood <rharwood@redhat.com> - 1:2.06-63
 - Font fixes (CVE-2022-2601 batch)