import grub2-2.06-70.el9_3.2.inferit

i9 changed/i9/grub2-2.06-70.el9_3.2.inferit
Arkady L. Shane 10 months ago
parent 73a3ee0778
commit 00422adb28
Signed by: tigro
GPG Key ID: 1EC08A25C9DB2503

@ -0,0 +1,73 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Fedora Ninjas <grub2-owner@fedoraproject.org>
Date: Tue, 8 Aug 2023 05:44:48 -0400
Subject: [PATCH] grub-mkconfig dont overwrite BLS cmdline if BLSCFG
If GRUB_ENABLE_BLSCFG is true, running grub2-mkconfig will not
overwrite kernel cmdline in BLS snippets with what is in
GRUB_CMDLINE_LINUX in /etc/default/grub. Update can be forced by
sending new arg --update-bls-cmdline
Signed-off-by: mkl <mlewando@redhat.com>
---
util/grub-mkconfig.in | 10 ++++++++++
util/grub.d/10_linux.in | 4 +++-
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index 520a672cd2c8..30a2d097823d 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -51,6 +51,7 @@ export TEXTDOMAIN=@PACKAGE@
export TEXTDOMAINDIR="@localedir@"
export GRUB_GRUBENV_UPDATE="yes"
+export GRUB_UPDATE_BLS_CMDLINE="yes"
. "${pkgdatadir}/grub-mkconfig_lib"
@@ -62,6 +63,7 @@ usage () {
echo
print_option_help "-o, --output=$(gettext FILE)" "$(gettext "output generated config to FILE [default=stdout]")"
print_option_help "--no-grubenv-update" "$(gettext "do not update variables in the grubenv file")"
+ print_option_help "--update-bls-cmdline" "$(gettext "overwrite BLS cmdline args with default args")"
print_option_help "-h, --help" "$(gettext "print this message and exit")"
print_option_help "-V, --version" "$(gettext "print the version information and exit")"
echo
@@ -100,6 +102,9 @@ do
--no-grubenv-update)
GRUB_GRUBENV_UPDATE="no"
;;
+ --update-bls-cmdline)
+ bls_cmdline_update=true
+ ;;
-*)
gettext_printf "Unrecognized option \`%s'\n" "$option" 1>&2
usage
@@ -167,6 +172,11 @@ fi
eval "$("${grub_get_kernel_settings}")" || true
+if [ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ] && \
+ [ "x${bls_cmdline_update}" != "xtrue" ]; then
+ GRUB_UPDATE_BLS_CMDLINE="no"
+fi
+
if [ "x${GRUB_DISABLE_UUID}" = "xtrue" ]; then
if [ -z "${GRUB_DISABLE_LINUX_UUID}" ]; then
GRUB_DISABLE_LINUX_UUID="true"
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
index 4795a63b4ce6..76fc21fb6528 100644
--- a/util/grub.d/10_linux.in
+++ b/util/grub.d/10_linux.in
@@ -265,7 +265,9 @@ if [ -z "\${kernelopts}" ]; then
fi
EOF
- if [ "x${GRUB_GRUBENV_UPDATE}" = "xyes" ]; then
+ if [ "x${GRUB_UPDATE_BLS_CMDLINE}" = "xyes" ] || \
+ ( [ -w /etc/kernel ] && [[ ! -f /etc/kernel/cmdline ]] && \
+ [ "x${GRUB_GRUBENV_UPDATE}" = "xyes" ] ); then
update_bls_cmdline
fi

@ -0,0 +1,37 @@
From f4f134582912851628e15df4963b3b8a6652aa26 Mon Sep 17 00:00:00 2001
From: Marta Lewandowska <mlewando@redhat.com>
Date: Tue, 29 Aug 2023 16:40:47 +0200
Subject: [PATCH] grub2-mkconfig: Pass all boot params when used by anaconda
Previous patch makes it so that the machine can boot, but not all
boot params are passed from /etc/default/grub to BLS snippets
because /etc/default/grub gets written by anaconda during boot
loader installation, long after grub rpms first got installed.
Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
---
util/grub.d/10_linux.in | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
index 76fc21fb6528..041a11529588 100644
--- a/util/grub.d/10_linux.in
+++ b/util/grub.d/10_linux.in
@@ -265,9 +265,11 @@ if [ -z "\${kernelopts}" ]; then
fi
EOF
- if [ "x${GRUB_UPDATE_BLS_CMDLINE}" = "xyes" ] || \
- ( [ -w /etc/kernel ] && [[ ! -f /etc/kernel/cmdline ]] && \
- [ "x${GRUB_GRUBENV_UPDATE}" = "xyes" ] ); then
+ if [ "x${GRUB_UPDATE_BLS_CMDLINE}" = "xyes" ] || [[ -d /run/install ]]; then
+ # only update the bls cmdline if the user specifically requests it or _anytime_
+ # in the installer environment: /run/install directory only exists during the
+ # installation and not in cloud images, so this should get all the boot params
+ # from /etc/default/grub into BLS snippets
update_bls_cmdline
fi
--
2.41.0

@ -0,0 +1,159 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Marta Lewandowska <mlewando@redhat.com>
Date: Mon, 9 Oct 2023 08:53:18 +0200
Subject: [PATCH] search command: add flag to only search root dev
bz#2223437
Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
---
grub-core/commands/search.c | 36 ++++++++++++++++++++++++++++++++++++
grub-core/commands/search_wrap.c | 5 +++++
grub-core/kern/misc.c | 30 ++++++++++++++++++++++++++++++
include/grub/misc.h | 1 +
include/grub/search.h | 3 ++-
5 files changed, 74 insertions(+), 1 deletion(-)
diff --git a/grub-core/commands/search.c b/grub-core/commands/search.c
index 57d26ced8a8e..94fe8b2872a1 100644
--- a/grub-core/commands/search.c
+++ b/grub-core/commands/search.c
@@ -85,6 +85,42 @@ iterate_device (const char *name, void *data)
grub_device_close (dev);
}
+ /* Skip it if it's not the root device when requested. */
+ if (ctx->flags & SEARCH_FLAGS_ROOTDEV_ONLY)
+ {
+ const char *root_dev;
+ root_dev = grub_env_get ("root");
+ if (root_dev != NULL && *root_dev != '\0')
+ {
+ char *root_disk = grub_malloc (grub_strlen(root_dev) + 1);
+ char *name_disk = grub_malloc (grub_strlen(name) + 1);
+ char *rem_1 = grub_malloc(grub_strlen(root_dev) + 1);
+ char *rem_2 = grub_malloc(grub_strlen(name) + 1);
+
+ if (root_disk != NULL && name_disk != NULL &&
+ rem_1 != NULL && rem_2 != NULL)
+ {
+ /* get just the disk name; partitions will be different. */
+ grub_str_sep (root_dev, root_disk, ',', rem_1);
+ grub_str_sep (name, name_disk, ',', rem_2);
+ if (root_disk != NULL && *root_disk != '\0' &&
+ name_disk != NULL && *name_disk != '\0')
+ if (grub_strcmp(root_disk, name_disk) != 0)
+ {
+ grub_free (root_disk);
+ grub_free (name_disk);
+ grub_free (rem_1);
+ grub_free (rem_2);
+ return 0;
+ }
+ }
+ grub_free (root_disk);
+ grub_free (name_disk);
+ grub_free (rem_1);
+ grub_free (rem_2);
+ }
+ }
+
#ifdef DO_SEARCH_FS_UUID
#define compare_fn grub_strcasecmp
#else
diff --git a/grub-core/commands/search_wrap.c b/grub-core/commands/search_wrap.c
index 0b62acf85359..06b5f51eefb5 100644
--- a/grub-core/commands/search_wrap.c
+++ b/grub-core/commands/search_wrap.c
@@ -41,6 +41,7 @@ static const struct grub_arg_option options[] =
ARG_TYPE_STRING},
{"no-floppy", 'n', 0, N_("Do not probe any floppy drive."), 0, 0},
{"efidisk-only", 0, 0, N_("Only probe EFI disks."), 0, 0},
+ {"root-dev-only", 'r', 0, N_("Only probe root device."), 0, 0},
{"hint", 'h', GRUB_ARG_OPTION_REPEATABLE,
N_("First try the device HINT. If HINT ends in comma, "
"also try subpartitions"), N_("HINT"), ARG_TYPE_STRING},
@@ -75,6 +76,7 @@ enum options
SEARCH_SET,
SEARCH_NO_FLOPPY,
SEARCH_EFIDISK_ONLY,
+ SEARCH_ROOTDEV_ONLY,
SEARCH_HINT,
SEARCH_HINT_IEEE1275,
SEARCH_HINT_BIOS,
@@ -189,6 +191,9 @@ grub_cmd_search (grub_extcmd_context_t ctxt, int argc, char **args)
if (state[SEARCH_EFIDISK_ONLY].set)
flags |= SEARCH_FLAGS_EFIDISK_ONLY;
+ if (state[SEARCH_ROOTDEV_ONLY].set)
+ flags |= SEARCH_FLAGS_ROOTDEV_ONLY;
+
if (state[SEARCH_LABEL].set)
grub_search_label (id, var, flags, hints, nhints);
else if (state[SEARCH_FS_UUID].set)
diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
index cb454614022f..50af9ee1bdd9 100644
--- a/grub-core/kern/misc.c
+++ b/grub-core/kern/misc.c
@@ -619,6 +619,36 @@ grub_reverse (char *str)
}
}
+/* Separate string into two parts, broken up by delimiter delim. */
+void
+grub_str_sep (const char *s, char *p, char delim, char *r)
+{
+ char* t = grub_strndup(s, grub_strlen(s));
+
+ if (t != NULL && *t != '\0')
+ {
+ char* tmp = t;
+
+ while (((*p = *t) != '\0') && ((*p = *t) != delim))
+ {
+ p++;
+ t++;
+ }
+ *p = '\0';
+
+ if (*t != '\0')
+ {
+ t++;
+ while ((*r++ = *t++) != '\0')
+ ;
+ *r = '\0';
+ }
+ grub_free (tmp);
+ }
+ else
+ grub_free (t);
+}
+
/* Divide N by D, return the quotient, and store the remainder in *R. */
grub_uint64_t
grub_divmod64 (grub_uint64_t n, grub_uint64_t d, grub_uint64_t *r)
diff --git a/include/grub/misc.h b/include/grub/misc.h
index faae0ae8606c..981526644d29 100644
--- a/include/grub/misc.h
+++ b/include/grub/misc.h
@@ -314,6 +314,7 @@ void *EXPORT_FUNC(grub_memset) (void *s, int c, grub_size_t n);
grub_size_t EXPORT_FUNC(grub_strlen) (const char *s) WARN_UNUSED_RESULT;
int EXPORT_FUNC(grub_printf) (const char *fmt, ...) __attribute__ ((format (GNU_PRINTF, 1, 2)));
int EXPORT_FUNC(grub_printf_) (const char *fmt, ...) __attribute__ ((format (GNU_PRINTF, 1, 2)));
+void EXPORT_FUNC(grub_str_sep) (const char *s, char *p, char delim, char *r);
/* Replace all `ch' characters of `input' with `with' and copy the
result into `output'; return EOS address of `output'. */
diff --git a/include/grub/search.h b/include/grub/search.h
index 4190aeb2cbf5..321d1400e451 100644
--- a/include/grub/search.h
+++ b/include/grub/search.h
@@ -22,7 +22,8 @@
enum search_flags
{
SEARCH_FLAGS_NO_FLOPPY = 1,
- SEARCH_FLAGS_EFIDISK_ONLY = 2
+ SEARCH_FLAGS_EFIDISK_ONLY = 2,
+ SEARCH_FLAGS_ROOTDEV_ONLY = 4
};
void grub_search_fs_file (const char *key, const char *var,

@ -30,6 +30,7 @@
-e 's/-fcf-protection//g' \\\
-e 's/-fasynchronous-unwind-tables//g' \\\
-e 's/^/ -fno-strict-aliasing /' \\\
-e 's,-march=x86-64-v[[:alnum:]._-]*,-march=x86-64,g' \\\
%{nil}
%global host_cflags %{expand:%%(echo %{build_cflags} %{?_hardening_cflags} | %{cflags_sed})}

@ -324,3 +324,6 @@ Patch0323: 0323-util-Enable-default-kernel-for-updates.patch
Patch0324: 0324-kern-ieee1275-init-Convert-plain-numbers-to-constant.patch
Patch0325: 0325-kern-ieee1275-init-Extended-support-in-Vec5.patch
Patch0326: 0326-efi-http-change-uint32_t-to-uintn_t.patch
Patch0327: 0327-grub-mkconfig-dont-overwrite-BLS-cmdline-if-BLSCFG.patch
Patch0328: 0328-grub2-mkconfig-Pass-all-boot-params-when-used-by-ana.patch
Patch0329: 0329-search-command-add-flag-to-only-search-root-dev.patch

@ -1,4 +1,4 @@
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,3,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/
grub.rh,2,Red Hat,grub2,@@RHEL_VERSION_RELEASE@@,mailto:secalert@redhat.com
grub.msvsphere,2,MSVSphere,grub2,@@VERSION_RELEASE@@,mailto:security@msvsphere.ru
grub.msvsphere,2,MSVSphere,grub2,@@VERSION_RELEASE@@,mailto:security@msvsphere-os.ru

@ -1,7 +1,6 @@
%global efi_vendor msvsphere
%global efidir msvsphere
%global efi_esp_dir /boot/efi/EFI/%{efidir}
# This package calls binutils components directly and would need to pass
# in flags to enable the LTO plugins
# Disable LTO
@ -20,7 +19,7 @@
Name: grub2
Epoch: 1
Version: 2.06
Release: 61%{?dist}.1.inferit.1
Release: 70%{?dist}.2.inferit
Summary: Bootloader with support for Linux, Multiboot and more
License: GPLv3+
URL: http://www.gnu.org/software/grub/
@ -43,7 +42,8 @@ Source12: sbat.csv.in
%define sb_ca %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
%define sb_cer %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer
%define sb_key spheresecureboot001
%define sb_key spheresecureboot001
BuildRequires: gcc efi-srpm-macros
BuildRequires: flex bison binutils python3
@ -339,7 +339,7 @@ BOOT_UUID=$(%{name}-probe --target=fs_uuid ${GRUB_HOME})
GRUB_DIR=$(%{name}-mkrelpath ${GRUB_HOME})
cat << EOF > ${EFI_HOME}/grub.cfg.stb
search --no-floppy --fs-uuid --set=dev ${BOOT_UUID}
search --no-floppy --root-dev-only --fs-uuid --set=dev ${BOOT_UUID}
set prefix=(\$dev)${GRUB_DIR}
export \$prefix
configfile \$prefix/grub.cfg
@ -523,19 +523,72 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
%endif
%changelog
* Fri Oct 27 2023 Arkady L. Shane <tigro@msvsphere-os.ru> - 2.06-61.inferit.1
- Drop brackets from grub menu (INF-738)
* Thu Jan 4 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-70.el9_3.2
- search command: add flag to only search root dev
(CVE-2023-4001)
- Resolves: #RHEL-20525
* Fri Jun 16 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.06-61.el9_2.1
- Sync with 9.3 (actually 2.06-65)
- Resolves: #2216022
* Fri Oct 27 2023 Arkady L. Shane <tigro@msvsphere-os.ru> - 2.06-70.el9_3.1.inferit.1
- Drop brackets from grub menu (INF-738)
* Tue May 23 2023 Eugene Zamriy <ezamriy@msvsphere.ru> - 2.06-61.inferit
* Thu Oct 12 2023 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2.06-70.el9_3.1.inferit
- Modified to use MSVSphere Secure Boot certificates
- Rebuilt for MSVSphere 9.2
* Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 2.06-46
- Rebuilt for MSVSphere 9.1.
(changes from Eugene Zamriy <ezamriy@msvsphere-os.ru> have been applied)
- Rebuilt for MSVSphere 9.3
* Thu Sep 7 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.06-70.el9_3.1
- Bump spec release version
- Related: #2203203
- Related: #2212320
- Related: #2221543
* Tue Aug 29 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.06-70
- grub2-mkconfig: Pass all boot params when used by anaconda
- Resolves: #2203203
- Resolves: #2212320
- Resolves: #2221543
* Thu Aug 24 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.06-69
- grub2-mkconfig: dont overwrite BLS cmdline if BLSCFG is true
- This is an updated version of the 2.06-67 patch
- Resolves: #2203203
- Resolves: #2212320
- Resolves: #2221543
* Wed Aug 2 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.06-68
- Revert previous patch as it breaks install
- Related: #2203203
- Related: #2212320
- Related: #2221543
* Mon Jul 24 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.06-67
- grub2-mkconfig: dont overwrite BLS cmdline if BLSCFG is true
- Resolves: #2203203
- Resolves: #2212320
- Resolves: #2221543
* Thu Jul 20 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.06-66
- build with baseline ISA flags
- Resolves: #2215860
* Wed Jun 07 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.06-65
- efi/http: change uint32_t to uintn_t
- Resolves: #2207851
* Fri May 26 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.06-64
- kern/ieee1275/init: sync vec5 patchset with upstream
- Resolves: #2183939
* Wed May 24 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.06-63
- util: Enable default kernel for updates
- Resolves: #2184069
* Tue May 23 2023 Javier Martinez Canillas <javierm@redhat.com> - 2.06-62
- 20-grub-install: Explicitly check '+debug' suffix for debug kernels
- Resolves: #2148351
* Fri Apr 14 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 2.06-61
- Rebuilt for MSVSphere 9.2 beta
* Mon Feb 20 2023 Robbie Harwood <rharwood@redhat.com> - 2.06-61
- ppc64le sysfs and mm update

Loading…
Cancel
Save