Enable again multiboot and multiboot2 modules on EFI builds
Building the multiboot and multiboot2 modules was disabled for EFI builds. But that made the menu entries created by the Xen package to stop working since they use the multiboot2 module. The modules were disabled modules because they can be used to bypass the Secure Boot mechanism. But it's enough to not include these modules in the grub2 EFI binary that's signed, which is the case already in the grub2 pkg. Having them as modules if the user installs the grub2-efi-x64-modules is a valid use case. And since module loading isn't allowed when Secure Boot is enabled, it doesn't represent any security threat. Resolves: rhbz#1703872 Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
This commit is contained in:
parent
300c372004
commit
18d67626ee
@ -0,0 +1,48 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||||
|
Date: Thu, 11 Jul 2019 13:04:21 +0200
|
||||||
|
Subject: [PATCH] Revert "Disable multiboot, multiboot2, and linux16 modules on
|
||||||
|
EFI builds."
|
||||||
|
|
||||||
|
This reverts commit 155d4e84604 which disabled building the multiboot and
|
||||||
|
multiboot2 modules on EFI builds. But that made the menu entries created
|
||||||
|
by the Xen package to stop working since they use the multiboot2 module.
|
||||||
|
|
||||||
|
The mentioned commit disabled building the multiboot{,2} modules because
|
||||||
|
they can be used to bypass the Secure Boot mechanism. But it's enough to
|
||||||
|
not include these modules in the grub2 EFI binary that's signed, which
|
||||||
|
is the case already in the grub2 package.
|
||||||
|
|
||||||
|
Having them as modules if the user installs the grub2-efi-x64-modules is
|
||||||
|
a valid use case. And since module loading isn't allowed when Secure Boot
|
||||||
|
is enabled, it doesn't represent any security threat.
|
||||||
|
|
||||||
|
Resolves: rhbz#1703872
|
||||||
|
|
||||||
|
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||||
|
---
|
||||||
|
grub-core/Makefile.core.def | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
||||||
|
index 8a00c6177e1..b662312ca6f 100644
|
||||||
|
--- a/grub-core/Makefile.core.def
|
||||||
|
+++ b/grub-core/Makefile.core.def
|
||||||
|
@@ -1696,7 +1696,7 @@ module = {
|
||||||
|
|
||||||
|
common = loader/multiboot.c;
|
||||||
|
common = loader/multiboot_mbi2.c;
|
||||||
|
- enable = i386_pc;
|
||||||
|
+ enable = x86;
|
||||||
|
enable = mips;
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -1705,7 +1705,7 @@ module = {
|
||||||
|
common = loader/multiboot.c;
|
||||||
|
x86 = loader/i386/multiboot_mbi.c;
|
||||||
|
extra_dist = loader/multiboot_elfxx.c;
|
||||||
|
- enable = i386_pc;
|
||||||
|
+ enable = x86;
|
||||||
|
};
|
||||||
|
|
||||||
|
module = {
|
@ -311,3 +311,4 @@ Patch0310: 0310-arm-Align-section-alignment-with-manual-relocation-o.patch
|
|||||||
Patch0311: 0311-grub-core-loader-efi-fdt.c-Do-not-copy-random-memory.patch
|
Patch0311: 0311-grub-core-loader-efi-fdt.c-Do-not-copy-random-memory.patch
|
||||||
Patch0312: 0312-linux-efi-arm-fdt-break-FDT-extra-allocation-space-o.patch
|
Patch0312: 0312-linux-efi-arm-fdt-break-FDT-extra-allocation-space-o.patch
|
||||||
Patch0313: 0313-Preserve-multi-device-workflows.patch
|
Patch0313: 0313-Preserve-multi-device-workflows.patch
|
||||||
|
Patch0314: 0314-Revert-Disable-multiboot-multiboot2-and-linux16-modu.patch
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
Name: grub2
|
Name: grub2
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 2.02
|
Version: 2.02
|
||||||
Release: 90%{?dist}
|
Release: 91%{?dist}
|
||||||
Summary: Bootloader with support for Linux, Multiboot and more
|
Summary: Bootloader with support for Linux, Multiboot and more
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
URL: http://www.gnu.org/software/grub/
|
URL: http://www.gnu.org/software/grub/
|
||||||
@ -518,6 +518,12 @@ rm -r /boot/grub2.tmp/ || :
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Jul 13 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-91
|
||||||
|
- Includes security modules in Grub2 EFI builds (benjamin.doron)
|
||||||
|
Resolves: rhbz#1722938
|
||||||
|
- Enable again multiboot and multiboot2 modules on EFI builds
|
||||||
|
Resolves: rhbz#1703872
|
||||||
|
|
||||||
* Fri Jul 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-90
|
* Fri Jul 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-90
|
||||||
- Fix failure to request grub.cfg over HTTP
|
- Fix failure to request grub.cfg over HTTP
|
||||||
- Some ARM fixes (pbrobinson)
|
- Some ARM fixes (pbrobinson)
|
||||||
|
Loading…
Reference in New Issue
Block a user