From 18d67626ee3d2d01ebd43672db3d3ab1a3b7ec79 Mon Sep 17 00:00:00 2001 From: Javier Martinez Canillas Date: Sat, 13 Jul 2019 03:18:28 +0200 Subject: [PATCH] Enable again multiboot and multiboot2 modules on EFI builds Building the multiboot and multiboot2 modules was disabled for EFI builds. But that made the menu entries created by the Xen package to stop working since they use the multiboot2 module. The modules were disabled modules because they can be used to bypass the Secure Boot mechanism. But it's enough to not include these modules in the grub2 EFI binary that's signed, which is the case already in the grub2 pkg. Having them as modules if the user installs the grub2-efi-x64-modules is a valid use case. And since module loading isn't allowed when Secure Boot is enabled, it doesn't represent any security threat. Resolves: rhbz#1703872 Signed-off-by: Javier Martinez Canillas --- ...ultiboot-multiboot2-and-linux16-modu.patch | 48 +++++++++++++++++++ grub.patches | 1 + grub2.spec | 8 +++- 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 0314-Revert-Disable-multiboot-multiboot2-and-linux16-modu.patch diff --git a/0314-Revert-Disable-multiboot-multiboot2-and-linux16-modu.patch b/0314-Revert-Disable-multiboot-multiboot2-and-linux16-modu.patch new file mode 100644 index 0000000..6653e65 --- /dev/null +++ b/0314-Revert-Disable-multiboot-multiboot2-and-linux16-modu.patch @@ -0,0 +1,48 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Thu, 11 Jul 2019 13:04:21 +0200 +Subject: [PATCH] Revert "Disable multiboot, multiboot2, and linux16 modules on + EFI builds." + +This reverts commit 155d4e84604 which disabled building the multiboot and +multiboot2 modules on EFI builds. But that made the menu entries created +by the Xen package to stop working since they use the multiboot2 module. + +The mentioned commit disabled building the multiboot{,2} modules because +they can be used to bypass the Secure Boot mechanism. But it's enough to +not include these modules in the grub2 EFI binary that's signed, which +is the case already in the grub2 package. + +Having them as modules if the user installs the grub2-efi-x64-modules is +a valid use case. And since module loading isn't allowed when Secure Boot +is enabled, it doesn't represent any security threat. + +Resolves: rhbz#1703872 + +Signed-off-by: Javier Martinez Canillas +--- + grub-core/Makefile.core.def | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def +index 8a00c6177e1..b662312ca6f 100644 +--- a/grub-core/Makefile.core.def ++++ b/grub-core/Makefile.core.def +@@ -1696,7 +1696,7 @@ module = { + + common = loader/multiboot.c; + common = loader/multiboot_mbi2.c; +- enable = i386_pc; ++ enable = x86; + enable = mips; + }; + +@@ -1705,7 +1705,7 @@ module = { + common = loader/multiboot.c; + x86 = loader/i386/multiboot_mbi.c; + extra_dist = loader/multiboot_elfxx.c; +- enable = i386_pc; ++ enable = x86; + }; + + module = { diff --git a/grub.patches b/grub.patches index aada811..c6a907c 100644 --- a/grub.patches +++ b/grub.patches @@ -311,3 +311,4 @@ Patch0310: 0310-arm-Align-section-alignment-with-manual-relocation-o.patch Patch0311: 0311-grub-core-loader-efi-fdt.c-Do-not-copy-random-memory.patch Patch0312: 0312-linux-efi-arm-fdt-break-FDT-extra-allocation-space-o.patch Patch0313: 0313-Preserve-multi-device-workflows.patch +Patch0314: 0314-Revert-Disable-multiboot-multiboot2-and-linux16-modu.patch diff --git a/grub2.spec b/grub2.spec index 173e8cd..af0981b 100644 --- a/grub2.spec +++ b/grub2.spec @@ -7,7 +7,7 @@ Name: grub2 Epoch: 1 Version: 2.02 -Release: 90%{?dist} +Release: 91%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -518,6 +518,12 @@ rm -r /boot/grub2.tmp/ || : %endif %changelog +* Sat Jul 13 2019 Javier Martinez Canillas - 2.02-91 +- Includes security modules in Grub2 EFI builds (benjamin.doron) + Resolves: rhbz#1722938 +- Enable again multiboot and multiboot2 modules on EFI builds + Resolves: rhbz#1703872 + * Fri Jul 05 2019 Javier Martinez Canillas - 2.02-90 - Fix failure to request grub.cfg over HTTP - Some ARM fixes (pbrobinson)