Commit Graph

633 Commits

Author SHA1 Message Date
Javier Martinez Canillas
5db4bc774e
Fix a grub hidden-menu regression and a bug in blscfg variable expansion
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-11-27 12:12:44 +01:00
Javier Martinez Canillas
eeeca9c900
grub-set-bootflag: Write new env to tmpfile and then rename
Resolves: CVE-2019-14865
Resolves: rhbz#1776580

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-11-26 11:43:57 +01:00
Javier Martinez Canillas
d3ceae4bfd
Some BLS cleanups and fixes
- 20-grub-install: Don't add an id field to generated BLS snippets
- 99-grub-mkconfig: Disable BLS usage for Xen machines
  Resolves: rhbz#1703700
- Don't add a class option to menu entries generated for ppc64le
  Resolves: rhbz#1758225
- 10_linux.in: Also use GRUB_CMDLINE_LINUX_DEFAULT to set kernelopts
- blscfg: Don't hardcode an env var as fallback for the BLS options field
  Resolves: rhbz#1710483

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-10-17 13:41:17 +02:00
Javier Martinez Canillas
897e388763
99-grub-mkconfig: Disable BLS usage for Xen machines
PV and PVH Xen DomU guests boot with pygrub that doesn't have BLS support.
Also Xen Dom0 use the menuentries from 20_linux_xen and not the ones from
10_linux. So BLS support needs to be disabled for both Xen Dom0 and DomU
and use a traditional grub.cfg file generated by the grub2-mkconfig tool.

Resolves: rhbz#1703700

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Tested-by: Steven Haigh <netwiz@crc.id.au>
2019-10-16 11:42:54 +02:00
Javier Martinez Canillas
7ea6052755
20-grub-install: Don't add an id field to generated BLS snippets
The id field isn't used anymore by the blscfg module and instead the BLS
filename without the .conf is used as the id for the generated menu entry.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-10-15 14:07:05 +02:00
Javier Martinez Canillas
be6e591e0f
Add BLS devicetree support and a couple of RISC-V fixes
- A couple of RISC-V fixes
- Remove grub2-tools %%posttrans scriptlet that migrates to a BLS config
- Add blscfg device tree support
  Resolves: rhbz#1751307

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-09-18 10:01:25 +02:00
Javier Martinez Canillas
e1531466e1
Update to grub 2.04
This change updates grub to the 2.04 release. The new release changed how
grub is built, so the bootstrap and bootstrap.conf files have to be added
to the dist-git. Also, the gitignore file changed so it has to be updated.

Since the patches have been forward ported to 2.04, there's no need for a
logic to maintain a patch with the delta between the release and the grub
master branch. So the release-to-master.patch is dropped and no longer is
updated by the do-rebase script.

Also since gnulib isn't part of the grub repository anymore and cloned by
the boostrap tool, a gnulib tarball is included as other source file and
copied before calling the bootstrap tool. That way grub can be built even
in builders that only have access to the sources lookaside cache.

Resolves: rhbz#1727279

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-08-15 08:04:53 +02:00
Javier Martinez Canillas
c432d1fe96
Include regexp module in EFI builds
So the regexp command can be used in systems with Secure Boot enabled.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-08-07 22:15:12 +02:00
Javier Martinez Canillas
0ca82180b8
Manual build for the Fedora 31 mass rebuild to succeed
Releng attempted to build the grub2 package as a part of the Fedora 31
mass rebuild [0], but this failed due lack of credentials to build the
grub2 package. Do a manual build for the rebuild to succeed.

[0]: https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-08-01 18:37:28 +02:00
Fedora Release Engineering
498ea7003b - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-07-25 07:48:51 +00:00
Javier Martinez Canillas
d8bbf039e9
20-grub-install: Restore default SELinux security contexts for BLS files
The BLS files are copied from /lib/modules/$(uname -r)/bls.conf and this
file has a SELinux label of "system_u:object_r:modules_object_t" like all
the other files that are installed by the kernel package.

But the files in the /boot directory are expected to have a SELinux label
of "system_u:object_r:boot_t". For all the other files that are copied to
/boot by the kernel-install script, the SELinux security contexts are
restored to the default but that was missing for the BLS files.

Resolves: rhbz#1726020

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-07-18 14:43:42 +02:00
Javier Martinez Canillas
a1dedc8a10
Add btrfs snapshot submenu and move grub2-probe to tools-minimal
The btrfs snapshot submenu was removed because it broke the old grubby tool
since it searched for "menuentry". But now that a BLS config is supported,
this can be added again as long as grubby isn't used.

This patch also moves the grub2-probe tool to the tools-minimal package to
prevent a circular dependency since the grub2-tools package depends on the
os-prober package, but os-prober package needs grub2-probe as a dependency.

So instead of making os-prober to depend on grub2-tools, it can be made to
depend on the grub2-tools-minimal subpackage.

Resolves: rhbz#1715994

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-07-17 16:41:25 +02:00
Javier Martinez Canillas
7e98da058f
Cleanup our patchset to reduce the number of patches
This change reorganizes and cleanups our patches to reduce the patch number
from 314 patches to 187. That's achieved by dropping patches that are later
reverted and squashing fixes for earlier patches that introduced features.

There are no code changes and the diff with upstream is the same before and
after the cleanup. Having fewer patches makes easier to manage the patchset
and also will ease to rebase them on top of the latest grub-2.04 release.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-07-16 12:30:06 +02:00
Javier Martinez Canillas
18d67626ee
Enable again multiboot and multiboot2 modules on EFI builds
Building the multiboot and multiboot2 modules was disabled for EFI builds.
But that made the menu entries created by the Xen package to stop working
since they use the multiboot2 module.

The modules were disabled modules because they can be used to bypass the
Secure Boot mechanism. But it's enough to not include these modules in the
grub2 EFI binary that's signed, which is the case already in the grub2 pkg.

Having them as modules if the user installs the grub2-efi-x64-modules is
a valid use case. And since module loading isn't allowed when Secure Boot
is enabled, it doesn't represent any security threat.

Resolves: rhbz#1703872

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-07-15 12:12:17 +02:00
Benjamin Doron
300c372004
Includes security modules in Grub2 EFI builds
Satisfies https://fedoraproject.org/wiki/Changes/Include_security_modules_in_efi_Grub2

Resolves: rhbz#1722938
2019-07-15 12:06:36 +02:00
Javier Martinez Canillas
f2b28b651f
Some fixes mostly for ARM
Fix failure to request grub.cfg over HTTP
Some ARM fixes (pbrobinson)
Preserve multi-device workflows (Yclept Nemo)

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-07-06 15:16:40 +02:00
Javier Martinez Canillas
04d38248e3
A set of fixes mostly BLS related
Fix --bls-directory option comment in grub2-switch-to-blscfg man page
  Resolves: rhbz#1714835
10_linux_bls: use '=' to separate --id argument due a Petitboot bug
grub-set-bootflag: Print an error if failing to read from grubenv
  Resolves: rhbz#1702354
10_linux: generate BLS section even if no kernels are found in /boot
10_linux: don't search for OSTree kernels

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-06-27 17:27:11 +02:00
Sergio Durigan Junior
f6da347edf
Use '-g' instead of '-g3' when compiling grub2.
The rpm-build's "debugedit" program will silently corrupt .debug_macro
strings when a binary is compiled with -g3.  Later in the build phase,
gdb-add-index is invoked to extract the DWARF index from the binary,
and GDB will segfault because dwarf2read.c:parse_definition_macro's
'body' variable is NULL.

Resolves: rhbz#1708780
2019-06-18 12:05:36 +02:00
Javier Martinez Canillas
05efc9de7f
Rebuild for RPM 4.15
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-06-11 10:30:48 +02:00
Igor Gnatenko
96a8e420da
Rebuild for RPM 4.15
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2019-06-11 00:13:19 +02:00
Igor Gnatenko
2df60da858
Rebuild for RPM 4.15
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2019-06-10 17:42:01 +02:00
Peter Jones
7388f24e3e Fix HOST_LDFLAGS to include the hardening flags.
rpmdiff noticed the following:

Detecting usr/sbin/grub2-ofpathname with not-hardened warnings '
Hardened: grub2-ofpathname: FAIL: Gaps were detected in the annobin coverage.  Run with -v to list.
Hardened: grub2-ofpathname: FAIL: Not linked with -Wl,-z,now.
Hardened: grub2-ofpathname: MAYB: The PIC/PIE setting was not recorded.
Hardened: grub2-ofpathname: FAIL: Not linked as a position independent executable (ie need to add '-pie' to link command line).
' on ppc64le

This is because while we made the CFLAGS get some new options, LDFLAGS never
got the same treatement, and we disabled %{_hardened_build} to avoid getting
its options in the TARGET_{C,LD}FLAGS variables.

This patch duplicates the infrastructure for {HOST,TARGET}_CFLAGS into
{HOST,TARGET}_LDFLAGS, and adds the %{_hardening_ldflags} and
%{_hardening_cflags} to both HOST_{C,LD}FLAGS.

Additionally, it fixes the CPPFLAGS definitions, since rpm doesn't define any
CPPFLAGS at all, and makes the -I$(pwd) be there exclusively, not on CFLAGS as
well, since they're always used in concert.

Signed-off-by: Peter Jones <pjones@redhat.com>
2019-05-23 13:51:07 -04:00
Javier Martinez Canillas
22467ee641
Don't try to switch to a BLS config if GRUB_ENABLE_BLSCFG is already set
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-05-20 19:02:19 +02:00
Javier Martinez Canillas
298aa12e25
Only execute grub2-switch-to-blscfg if GRUB_ENABLE_BLSCFG isn't set
There's no point on executing the script if GRUB_ENABLE_BLSCFG has already
been set. Currently was checking if an user explicitly set it to false to
avoid enabling the BLS configuration, but it should also be avoided if was
already set to true by a previous package update or during installation.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-05-20 18:38:34 +02:00
Javier Martinez Canillas
d8cdcb3a21
Fix error messages wrongly being printed when executing blscfg command
Resolves: rhbz#1699761

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-05-15 12:28:06 +02:00
Javier Martinez Canillas
a9b371c2fb
Make blscfg module compatible at least up to the Fedora 19 GRUB core
The blscfg module isn't compatible with the GRUB core.img installed by any
release older than Fedora 21.

This is because the blscfg module calls to the grub_file_size() function to
check if the BLS file size is correct, but the struct grub_file used as the
parameter for this function changed in the GRUB version used in Fedora 21.

So the function returns a wrong file size due the .size field offset being
different in the older GRUB from Fedora 20 and earlier.

This is causing all the BLS files to be ignored due having a wrong size and
leading to GRUB menu not being populated on boot.

Related: rhbz#1652806

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-05-08 15:19:43 +02:00
Neal Gompa
0b428f20f3
Add grub2-mount to grub2-tools-minimal subpackage
os-prober 1.75 dropped all the code for handling device mapper
directly in favor of only supporting the use of grub2-mount.

Thus, we now need grub2-mount to be built and packaged so that
os-prober can depend on it. We ship it in the grub2-tools-minimal
package to avoid creating a dependency loop between grub2-tools and
os-prober.

Resolves: rhbz#1471267

Signed-off-by: Neal Gompa <ngompa13@gmail.com>
2019-05-06 13:40:04 +02:00
Javier Martinez Canillas
a18e8e631d
Add grub2-emu subpackage
GRUB has an user-space program emulator that allows to parse config files
and execute boot entries using the kexec tool. Add a grub2-emu subpackage
to install the emulator.

The subpackage is disabled on ppc64le architecture for now since grub2-emu
fails to build there.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-05-03 15:39:28 +02:00
Tim Landscheidt
af06f22ee4 Fix description of grub2-pc
Resolves: rhbz#1484298
2019-05-03 10:43:27 +02:00
Javier Martinez Canillas
79551a59f5
Add 10_reset_boot_success to Makefile
This was missed when the script got added.

Related: rhbz#1701003

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-04-18 19:33:20 +02:00
Javier Martinez Canillas
62a05cdcd4
Some grub2-emu, HTTP boot and fallback fixes
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-04-18 11:57:05 +02:00
Javier Martinez Canillas
173fb18386
Execute grub2-switch-to-blscfg script in %posttrans instead of %post
The GRUB configuration is switched to BLS using the grub2-switch-to-blscfg
script, which is installed by the grub2-tools package. Among other things,
the script copies the blscfg module from the /usr/lib/grub/$arch directory
to /boot/grub2/$arch.

This is done because for non-UEFI installs (i386-pc and powerpc-ieee1275)
the GRUB core and modules aren't updated on package upgrade, so the blscfg
module won't be the latest that contains the current BLS support.

But the grub2-switch-to-blscfg script is currently executed in grub2-tools
%post scritplet, which means that if the grub2-tools package is installed
before the grub2-pc-modules package (that installs the blscfg module), the
grub2-switch-to-blscfg script won't copy the latest version of the module.

This will make systems to fail to populate the GRUB menu, since its config
will already be migrated to BLS but the blscfg module won't be the latest.

So to make sure that the latest blscfg module is copied regardless of the
grub2-tools and grub2-pc-modules packages install order, run the switch
script in a grub2-tools %posttrans so it's executed at the end of the RPM
transaction once all the packages have been installed.

Resolves: rhbz#1652806

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-04-16 18:27:09 +02:00
Zbigniew Jędrzejewski-Szmek
30b139ceba
Do not remove boot loader configuration for other boot loaders 2019-04-16 18:16:25 +02:00
Javier Martinez Canillas
dd6e48876e
10_linux_bls: don't add --users option to generated menu entries
The generated menu entries have a --users $grub_users option but this will
fail on old versions of GRUB, since it expects the --users option argument
to either be a constant or a variable that has been set.

The latest GRUB version fix this but the GRUB core isn't updated on a GRUB
package update, so this will cause the entries to not be shown in the menu
after a system upgrade.

Since can cause issues and because the entries that weren't generated from
the BLS snippets didn't have the --users option either, just don't add it.

Resolves: rhbz#1693515

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-03-28 17:05:25 +01:00
Javier Martinez Canillas
88459565ec
A set of EFI fixes to support arm64 QCom UEFI firmwares
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-03-26 17:17:17 +01:00
Javier Martinez Canillas
c1ccaf8a0e
Fix some BLS snippets not being displayed in the GRUB menu
There was an error in the logic that stored the parsed BLS snippets in the
sorted linked list that is used to populate the GRUB boot menu entries.

Also add a fix found by coverity scan about a possible undefined behaviour
due grub_efi_status_t having the wrong type.

Resolves: rhbz#1691232

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-03-22 15:33:06 +01:00
Javier Martinez Canillas
242b306a29
Only set blsdir if /boot/loader/entries is in a btrfs or zfs partition
Commit bfc756f8d86 ("Set blsdir if the BLS directory path isn't one of the
looked up by default") attempted to set blsdir if /boot/loader/entries was
not the real path of the directory containing the BLS snippets. Which may
be the case if for example /boot/loader/entries is in a btrfs subvolume.

But in the case of ostree, /boot/loader is a symlink to the directory with
the entries for the current deployment. So with ostree the blsdir will be
wrongly set, since GRUB is able to follow the symlinks just fine. In fact,
it has to follow the symlink since otherwise GRUB will always use the BLS
files for the deployment that the symlink pointed out when blsdir was set.

So only set blsdir if /boot/loader/entries is in a btrfs or zfs partition.

Related: rhbz#1688453

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-03-20 16:54:35 +01:00
Javier Martinez Canillas
fad457cd90
Two more fixes
Avoid grub2-efi package to overwrite existing /boot/grub2/grubenv file
  Resolves: rhbz#1687323
Switch to BLS in tools package %%post scriptlet
  Resolves: rhbz#1652806

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-03-11 12:07:18 +01:00
Javier Martinez Canillas
a7449e2e58
Switch to BLS in tools package %post scriptlet
The switch to a BLS configuration was made before in the grubby package
%post scriptlet, but this is wrong since it means that a not up-do-date
grub2-switch-to-blscfg script could be used to do the switch.

Resolves: rhbz#1652806

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-03-11 12:01:43 +01:00
Javier Martinez Canillas
8c44667ebf
Avoid grub2-efi package to overwrite existing /boot/grub2/grubenv file
The grub2-efi package create a /boot/grub2/grubenv symlink that points to
/boot/efi/EFI/fedora/grubenv that's where the real grubenv file is looked
up by GRUB on an EFI installation.

But currently if the grub2-efi is installed on a legacy BIOS install, it
will overwrite an existing /boot/grub2/grubenv file with a broken symlink.

So mark it as %config(noreplace) to avoid loosing an existing grubenv.

Resolves: rhbz#1687323

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-03-11 10:22:11 +01:00
Javier Martinez Canillas
5d7e4540ed
Some BLS fixes
20-grub-install: Replace, rather than overwrite, the existing kernel (pjones)
  Resolves: rhbz#1642402
99-grub-mkconfig: Don't update grubenv generating entries on ppc64le
  Related: rhbz#1637875
blscfg: fallback to default_kernelopts if BLS option field isn't set
  Related: rhbz#1625124
grub-switch-to-blscfg: copy increment.mod for legacy BIOS and ppc64
  Resolves: rhbz#1652806

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-02-27 19:54:32 +01:00
Javier Martinez Canillas
3690f710db
99-grub-mkconfig: Don't update grubenv generating entries on ppc64le
The grubenv file is updated when grub-mkconfig is executed but on ppc64le
is used on each kernel install to re-generate the grub2.cfg file with the
updated entries. So in this case the grubenv file should not be updated.

Related: rhbz#1637875

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-02-26 08:35:41 +01:00
Peter Jones
c9b8b10a61
20-grub-install: Replace, rather than overwrite, the existing kernel.
In rhbz#1638405, we worked around the issue of an existing initramfs
being in the way by removing it if it's older than the kernel we're in
the process of installing.

But it was buggy and only worked with some filesystem layouts and paths, and
also possibly had some issues with file creation times causing the shell -ot
comparison to fail in some cases.

This patch changes it to remove the existing kernel (as well as other
related files) in the case that it's going to do the copy, and also fixes the
path issues.

Resolves: rhbz#1642402
Related: rhbz#1638405

Signed-off-by: Peter Jones <pjones@redhat.com>
Tested-by: Prarit Bhargava <prarit@redhat.com>
2019-02-26 08:33:50 +01:00
Javier Martinez Canillas
f6d4ab8f83
Check if blsdir exists before attempting to get it's real path
Resolves: rhbz#1677415

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-02-15 18:22:18 +01:00
Javier Martinez Canillas
e3a408a521
A couple of fixes
Don't make grub_strtoull() print an error if no conversion is performed
  Resolves: rhbz#1674512
Set blsdir if the BLS directory path isn't one of the looked up by default
  Resolves: rhbz#1657240

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-02-13 13:41:46 +01:00
Javier Martinez Canillas
11b49b804e
BLS support enhancements and some fixes
- Don't build the grub2-efi-ia32-* packages on i686 (pjones)
- Add efi-export-env and efi-load-env commands (pjones)
- Make it possible to subtract conditions from debug= (pjones)
- Try to set -fPIE and friends on libgnu.a (pjones)
- Add more options to blscfg command to make it more flexible
- Add support for prepend early initrds to the BLS entries
- Fix grub.cfg-XXX look up when booting over TFTP

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-02-04 19:28:49 +01:00
Fedora Release Engineering
5699af497f - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-02-01 01:37:54 +00:00
Igor Gnatenko
3463a4b800 Remove obsolete Group tag
References: https://fedoraproject.org/wiki/Changes/Remove_Group_Tag
2019-01-28 20:24:06 +01:00
Igor Gnatenko
23b6ae2b79
Remove obsolete scriptlets
References: https://fedoraproject.org/wiki/Changes/RemoveObsoleteScriptlets
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2019-01-27 19:01:54 +01:00
Javier Martinez Canillas
bb036b8233
Don't exclude /etc/grub.d/01_fallback_counting anymore
This was causing issues but it should be fixed now.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2018-12-17 12:58:43 +01:00