The previous commits, especially b14117, unified the grub config
locations across all platforms. In brief, this means that in the
case of EFI, the config file in the EFI System Partition (ESP)
is now meant to be a small stub config file that will in turn
load the main configuration in /boot/grub2, which is used on
all other platforms as well. For new installations all this is
done by the Anaconda installer. But existing installations also
need to be adapted.
Add a %posttrans script to the grub2-common package that will,
if a non-unified installation is detected, transition it into
a unified one. This is done by moving the main grub.cfg file
from the ESP to /boot/grub2, creating minimal stub on the ESP
instead. Additionally, the grubenv file is also moved from the
ESP to /boot/grub2.
The detection of the non-unified installation is done by
checking if the grub.cfg on the ESP contains the 'configfile'
directive. If so, it is assumed the system has a unified
grub configuration.
Signed-off-by: Christian Kellner <christian@kellner.me>
- Remove -fcf-protection compiler flag to allow i386 builds (law)
Related: rhbz#1915452
- Unify GRUB configuration file location across all platforms
Related: rhbz#1918817
- Add 'at_keyboard_fallback_set' var to force the set manually (rmetrich)
- Add appended signatures support for ppc64le LPAR Secure Boot (daxtens)
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Users can unintentionally remove the grub2 packages and break their system
by deleting the bootloader. To prevent this mark them as protected by DNF.
Resolves: rhbz#1874541
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
The /boot/grub2/grubenv file is not installed by the grub2 packages but
is either a symbolic link created on %install or a regular file created
by Anaconda during installation.
This is causing the tps-rpmtest to fail in some architectures since the
file attributes don't match what's expected by the package. Because is
a special file, make verification to ignore the size, mode, checksum
and mtime attributes.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
OSTree doesn't support installations that don't have a boot partition. The
BLS snippets assume that there will be one, so this has to be checked and
only mark GRUB as supporting BLS in OSTree systems have a boot partition.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
The Default Boot Behavior for EFI if no BootOrder and Boot#### variables
are found is to look for an ESP and start \EFI\BOOT\BOOT{$arch}.efi.
This is usually fallback.efi installed by the shim package, but since shim
isn't used on armv7, there's no \EFI\BOOT\BOOTARM.EFI installed in the ESP.
So install GRUB as \EFI\BOOT\BOOTARM.EFI for armv7 so there is a default
EFI binary to be started.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Since GRUB 2.04 there is support for TPM measurements in a tpm module that
uses the verifiers framework. So this is used now instead of the previous
downstream patches that we were carrying.
But we forgot to enable this module when rebasing to 2.04 which leads to
GRUB no longer measuring the kernel, initrd and command line parameters.
One side effect of using the verifiers framework is that if measurements
fail, GRUB won't be able to open the files since the errors from the tpm
module are propagated. This means that a firmware with a buggy tpm support
will prevent the machine to boot, which was not the case with the previous
downstream patches. Don't propagate the measurement errors to prevent this.
Resolves: rhbz#1836433
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
The kernel cmdline was stored as a kernelopts variable in the grubenv file
and the BLS snippets used that. But this turned out to be fragile since the
grubenv file could be removed or get corrupted easily.
To prevent the entries to not have a cmdline if the grubenv can't be read,
a fallback variable was set in the GRUB config file. But this still caused
issues since the config needs to be re-generated to change the parameters.
Instead, let's store the cmdline in the BLS snippets. This will make the
configuration more robust, since it will work even without the grubenv
file and the BLS entries will contain all the information needed to boot.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
blscfg: Lookup default_kernelopts variable as fallback for options
Related: rhbz#1765297
10_linux.in: fix early exit due error when reading petitboot version
Resolves: rhbz#1827397
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
The logic to parse the BLS configs to generate a set of menuentry commands
that's needed on ppc64le machines with bootloaders that don't have support
to parse BLS config directly, was implemented in a 10_linux_bls script.
But there's no need to have a separate script just for this and this logic
can be merged into the 10_linux script to avoid code duplication.
Also since the blscfg module will also now be used by ostree-based distros
there is a possible corner case in which a user set the blsdir variable to
a BLS directory path that is different than the default used by ostree.
So to avoid possible issues, only drop the marker file to specify that the
bootloader has support to parse BLS files if this variable hasn't been set.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
- Add riscv64 support to grub.macros and RISC-V build fixes (davidlt)
- blscfg: Always use the root variable to search for BLS snippets
- bootstrap.conf: Force autogen.sh to use python3
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
cmurf and javierm noticed[0] that we don't have zstd enabled, and that could
cause issues in some cases for /boot on btrfs subvolumes. This adds it to our
module list.
[0] https://github.com/rhinstaller/anaconda/pull/2255#discussion_r359123085
Related: rhbz#1418336
Signed-off-by: Peter Jones <pjones@redhat.com>
This gets rid of the vestigial remnants of the now-obsolete
release-to-master.patch , and moves gnulib to be earlier in our source list.
Signed-off-by: Peter Jones <pjones@redhat.com>
- Various grub2 cleanups (pbrobinson)
- Another fix for blscfg variable expansion support
- blscfg: Add support for sorting the plus ('+') higher than base version
Resolves: rhbz#1767395
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
- drop deprecated groups from the macros file, already gone from main spec.
- don't ship arch specific bits in tools-extra that are already special cased in tools
- move grub2-glue-efi to tools-efi, it's Mac specific and there's othe Mac efi tools there
- drop tools-extra dep for efi binaries, all in tools-efi and anaconda deals with that
- put grub2-install man page in the right package with the util
- other minor cleanups
- 20-grub-install: Don't add an id field to generated BLS snippets
- 99-grub-mkconfig: Disable BLS usage for Xen machines
Resolves: rhbz#1703700
- Don't add a class option to menu entries generated for ppc64le
Resolves: rhbz#1758225
- 10_linux.in: Also use GRUB_CMDLINE_LINUX_DEFAULT to set kernelopts
- blscfg: Don't hardcode an env var as fallback for the BLS options field
Resolves: rhbz#1710483
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
- A couple of RISC-V fixes
- Remove grub2-tools %%posttrans scriptlet that migrates to a BLS config
- Add blscfg device tree support
Resolves: rhbz#1751307
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
This change updates grub to the 2.04 release. The new release changed how
grub is built, so the bootstrap and bootstrap.conf files have to be added
to the dist-git. Also, the gitignore file changed so it has to be updated.
Since the patches have been forward ported to 2.04, there's no need for a
logic to maintain a patch with the delta between the release and the grub
master branch. So the release-to-master.patch is dropped and no longer is
updated by the do-rebase script.
Also since gnulib isn't part of the grub repository anymore and cloned by
the boostrap tool, a gnulib tarball is included as other source file and
copied before calling the bootstrap tool. That way grub can be built even
in builders that only have access to the sources lookaside cache.
Resolves: rhbz#1727279
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Releng attempted to build the grub2 package as a part of the Fedora 31
mass rebuild [0], but this failed due lack of credentials to build the
grub2 package. Do a manual build for the rebuild to succeed.
[0]: https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
The BLS files are copied from /lib/modules/$(uname -r)/bls.conf and this
file has a SELinux label of "system_u:object_r:modules_object_t" like all
the other files that are installed by the kernel package.
But the files in the /boot directory are expected to have a SELinux label
of "system_u:object_r:boot_t". For all the other files that are copied to
/boot by the kernel-install script, the SELinux security contexts are
restored to the default but that was missing for the BLS files.
Resolves: rhbz#1726020
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
The btrfs snapshot submenu was removed because it broke the old grubby tool
since it searched for "menuentry". But now that a BLS config is supported,
this can be added again as long as grubby isn't used.
This patch also moves the grub2-probe tool to the tools-minimal package to
prevent a circular dependency since the grub2-tools package depends on the
os-prober package, but os-prober package needs grub2-probe as a dependency.
So instead of making os-prober to depend on grub2-tools, it can be made to
depend on the grub2-tools-minimal subpackage.
Resolves: rhbz#1715994
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
This change reorganizes and cleanups our patches to reduce the patch number
from 314 patches to 187. That's achieved by dropping patches that are later
reverted and squashing fixes for earlier patches that introduced features.
There are no code changes and the diff with upstream is the same before and
after the cleanup. Having fewer patches makes easier to manage the patchset
and also will ease to rebase them on top of the latest grub-2.04 release.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Building the multiboot and multiboot2 modules was disabled for EFI builds.
But that made the menu entries created by the Xen package to stop working
since they use the multiboot2 module.
The modules were disabled modules because they can be used to bypass the
Secure Boot mechanism. But it's enough to not include these modules in the
grub2 EFI binary that's signed, which is the case already in the grub2 pkg.
Having them as modules if the user installs the grub2-efi-x64-modules is
a valid use case. And since module loading isn't allowed when Secure Boot
is enabled, it doesn't represent any security threat.
Resolves: rhbz#1703872
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
