Enable again multiboot and multiboot2 modules on EFI builds

Building the multiboot and multiboot2 modules was disabled for EFI builds.
But that made the menu entries created by the Xen package to stop working
since they use the multiboot2 module.

The modules were disabled modules because they can be used to bypass the
Secure Boot mechanism. But it's enough to not include these modules in the
grub2 EFI binary that's signed, which is the case already in the grub2 pkg.

Having them as modules if the user installs the grub2-efi-x64-modules is
a valid use case. And since module loading isn't allowed when Secure Boot
is enabled, it doesn't represent any security threat.

Resolves: rhbz#1703872

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
This commit is contained in:
Javier Martinez Canillas 2019-07-13 03:18:28 +02:00
parent 300c372004
commit 18d67626ee
No known key found for this signature in database
GPG Key ID: C751E590D63F3D69
3 changed files with 56 additions and 1 deletions

View File

@ -0,0 +1,48 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Thu, 11 Jul 2019 13:04:21 +0200
Subject: [PATCH] Revert "Disable multiboot, multiboot2, and linux16 modules on
EFI builds."
This reverts commit 155d4e84604 which disabled building the multiboot and
multiboot2 modules on EFI builds. But that made the menu entries created
by the Xen package to stop working since they use the multiboot2 module.
The mentioned commit disabled building the multiboot{,2} modules because
they can be used to bypass the Secure Boot mechanism. But it's enough to
not include these modules in the grub2 EFI binary that's signed, which
is the case already in the grub2 package.
Having them as modules if the user installs the grub2-efi-x64-modules is
a valid use case. And since module loading isn't allowed when Secure Boot
is enabled, it doesn't represent any security threat.
Resolves: rhbz#1703872
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
---
grub-core/Makefile.core.def | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 8a00c6177e1..b662312ca6f 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -1696,7 +1696,7 @@ module = {
common = loader/multiboot.c;
common = loader/multiboot_mbi2.c;
- enable = i386_pc;
+ enable = x86;
enable = mips;
};
@@ -1705,7 +1705,7 @@ module = {
common = loader/multiboot.c;
x86 = loader/i386/multiboot_mbi.c;
extra_dist = loader/multiboot_elfxx.c;
- enable = i386_pc;
+ enable = x86;
};
module = {

View File

@ -311,3 +311,4 @@ Patch0310: 0310-arm-Align-section-alignment-with-manual-relocation-o.patch
Patch0311: 0311-grub-core-loader-efi-fdt.c-Do-not-copy-random-memory.patch Patch0311: 0311-grub-core-loader-efi-fdt.c-Do-not-copy-random-memory.patch
Patch0312: 0312-linux-efi-arm-fdt-break-FDT-extra-allocation-space-o.patch Patch0312: 0312-linux-efi-arm-fdt-break-FDT-extra-allocation-space-o.patch
Patch0313: 0313-Preserve-multi-device-workflows.patch Patch0313: 0313-Preserve-multi-device-workflows.patch
Patch0314: 0314-Revert-Disable-multiboot-multiboot2-and-linux16-modu.patch

View File

@ -7,7 +7,7 @@
Name: grub2 Name: grub2
Epoch: 1 Epoch: 1
Version: 2.02 Version: 2.02
Release: 90%{?dist} Release: 91%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more Summary: Bootloader with support for Linux, Multiboot and more
License: GPLv3+ License: GPLv3+
URL: http://www.gnu.org/software/grub/ URL: http://www.gnu.org/software/grub/
@ -518,6 +518,12 @@ rm -r /boot/grub2.tmp/ || :
%endif %endif
%changelog %changelog
* Sat Jul 13 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-91
- Includes security modules in Grub2 EFI builds (benjamin.doron)
Resolves: rhbz#1722938
- Enable again multiboot and multiboot2 modules on EFI builds
Resolves: rhbz#1703872
* Fri Jul 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-90 * Fri Jul 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-90
- Fix failure to request grub.cfg over HTTP - Fix failure to request grub.cfg over HTTP
- Some ARM fixes (pbrobinson) - Some ARM fixes (pbrobinson)