From 1b8ef8a8a2661f649e9f8a222d4f6419b2a81726 Mon Sep 17 00:00:00 2001 From: tigro Date: Wed, 20 Dec 2023 13:02:27 +0300 Subject: [PATCH] Modified to use MSVSphere Secure Boot certificates --- .grub2.metadata | 8 ++------ SOURCES/grub.macros | 8 +++++++- SOURCES/sbat.csv.in | 3 ++- SPECS/grub2.spec | 44 ++++++++++++++++++++++++++++---------------- 4 files changed, 39 insertions(+), 24 deletions(-) diff --git a/.grub2.metadata b/.grub2.metadata index c0c9b64..7a75b15 100644 --- a/.grub2.metadata +++ b/.grub2.metadata @@ -1,9 +1,5 @@ 3d7eb6eaab28b88cb969ba9ab24af959f4d1b178 SOURCES/grub-2.02.tar.xz -4a07b56e28741884b86da6ac91f8f9929541a1e4 SOURCES/redhatsecureboot301.cer -3f94c47f1d08bacc7cb29bdd912e286b8d2f6fcf SOURCES/redhatsecureboot502.cer -039357ef97aab3e484d1119edd4528156f5859e6 SOURCES/redhatsecureboot601.cer -e89890ca0ded2f9058651cc5fa838b78db2e6cc2 SOURCES/redhatsecureboot701.cer -cf9230e69000076727e5b784ec871d22716dc5da SOURCES/redhatsecurebootca3.cer -e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer cf0b7763c528902da7e8b05cfa248f20c8825ce5 SOURCES/theme.tar.bz2 87f8600ba24e521b5d20bdf6c4b71af8ae861e3a SOURCES/unifont-5.1.20080820.pcf.gz +57720b361064834b4878229b61aa0a74b66e1037 SOURCES/spheresecureboot001.cer +5dfa9ba02dc64f6bf3275f2a150e369a181b9e02 SOURCES/spheresecurebootca.cer diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros index c9ed442..3f20cd2 100644 --- a/SOURCES/grub.macros +++ b/SOURCES/grub.macros @@ -285,7 +285,13 @@ Requires: %{name}-common = %{evr} \ Requires: %{name}-tools-minimal >= %{evr} \ Requires: %{name}-tools-extra = %{evr} \ Requires: %{name}-tools = %{evr} \ +Requires: %{efi_esp_dir}/shim%%(echo %{1} | cut -d- -f2).efi \ Provides: %{name}-efi = %{evr} \ +Provides: msvsphere(grub2-sig-key) = 202303 \ +%{expand:%%ifarch x86_64 \ +Conflicts: shim-x64 <= 15.6-1.el8.inferit \ +Conflicts: shim-ia32 <= 15.6-1.el8.inferit \ +%%endif} \ %{?legacy_provides:Provides: %{name} = %{evr}} \ %{-o:Obsoletes: %{name}-efi < %{evr}} \ \ @@ -540,7 +546,7 @@ install -D -m 700 unicode.pf2 \\\ $RPM_BUILD_ROOT%{efi_esp_dir}/fonts/unicode.pf2 \ ${RPM_BUILD_ROOT}/%{_bindir}/%{name}-editenv \\\ ${RPM_BUILD_ROOT}%{efi_esp_dir}/grubenv create \ -ln -sf ../efi/EFI/%{efi_vendor}/grubenv \\\ +ln -sf ../efi/EFI/%{efidir}/grubenv \\\ $RPM_BUILD_ROOT/boot/grub2/grubenv \ cd .. \ %{nil} diff --git a/SOURCES/sbat.csv.in b/SOURCES/sbat.csv.in index b338b5f..473ad95 100755 --- a/SOURCES/sbat.csv.in +++ b/SOURCES/sbat.csv.in @@ -1,3 +1,4 @@ sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md grub,3,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/ -grub.rh,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com +grub.rh,2,Red Hat,grub2,@@RHEL_VERSION_RELEASE@@,mailto:secalert@redhat.com +grub.msvsphere,2,MSVSphere,grub2,@@VERSION_RELEASE@@,mailto:security@msvsphere-os.ru diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec index e3dddba..a929cdd 100644 --- a/SPECS/grub2.spec +++ b/SPECS/grub2.spec @@ -1,3 +1,7 @@ +%global efi_vendor msvsphere +%global efidir msvsphere +%global efi_esp_dir /boot/efi/EFI/%{efidir} + %undefine _hardened_build %global tarversion 2.02 @@ -24,12 +28,8 @@ Source6: gitignore Source8: strtoull_test.c Source9: 20-grub.install Source12: 99-grub-mkconfig.install -Source13: redhatsecurebootca3.cer -Source14: redhatsecureboot301.cer -Source15: redhatsecurebootca5.cer -Source16: redhatsecureboot502.cer -Source17: redhatsecureboot601.cer -Source18: redhatsecureboot701.cer +Source13: spheresecurebootca.cer +Source14: spheresecureboot001.cer Source19: sbat.csv.in %include %{SOURCE1} @@ -37,17 +37,14 @@ Source19: sbat.csv.in %if 0%{with_efi_arch} %define old_sb_ca %{SOURCE13} %define old_sb_cer %{SOURCE14} -%define old_sb_key redhatsecureboot301 -%define sb_ca %{SOURCE15} -%define sb_cer %{SOURCE16} -%define sb_key redhatsecureboot502 +%define old_sb_key spheresecureboot001 +%define sb_ca %{SOURCE13} +%define sb_cer %{SOURCE14} +%define sb_key spheresecureboot001 %endif -%ifarch ppc64le -%define old_sb_cer %{SOURCE17} -%define sb_cer %{SOURCE18} -%define sb_key redhatsecureboot702 -%endif +# MSVSphere: keep upstream EVR for RHEL SBAT entry +%define rhel_version_release $(echo %{version}-%{release} | sed 's/\.inferit.*//') # generate with do-rebase %include %{SOURCE2} @@ -166,7 +163,7 @@ This subpackage provides tools for support of all platforms. mkdir grub-%{grubefiarch}-%{tarversion} grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grubefiarch}-%{tarversion}/.gitignore cp %{SOURCE4} grub-%{grubefiarch}-%{tarversion}/unifont.pcf.gz -sed -e "s,@@VERSION@@,%{version},g" -e "s,@@VERSION_RELEASE@@,%{version}-%{release},g" \ +sed -e "s,@@VERSION@@,%{version},g" -e "s,@@VERSION_RELEASE@@,%{version}-%{release},g" -e "s,@@RHEL_VERSION_RELEASE@@,%{rhel_version_release},g" \ %{SOURCE19} > grub-%{grubefiarch}-%{tarversion}/sbat.csv git add grub-%{grubefiarch}-%{tarversion} %endif @@ -341,6 +338,20 @@ if [ "$1" = 0 ]; then /sbin/install-info --delete --info-dir=%{_infodir} %{_infodir}/%{name}-dev.info.gz || : fi +%if 0%{with_efi_arch} +%posttrans %{package_arch} +if [ -d /sys/firmware/efi ] && [ ! -f %{efi_esp_dir}/grub.cfg ]; then + grub2-mkconfig -o %{efi_esp_dir}/grub.cfg || : +fi +%endif + +%if 0%{with_alt_efi_arch} +%posttrans %{alt_package_arch} +if [ -d /sys/firmware/efi ] && [ ! -f %{efi_esp_dir}/grub.cfg ]; then + grub2-mkconfig -o %{efi_esp_dir}/grub.cfg || : +fi +%endif + %files common -f grub.lang %dir %{_libdir}/grub/ %dir %{_datarootdir}/grub/ @@ -511,6 +522,7 @@ fi %changelog * Wed Dec 20 2023 Arkady L. Shane - 2.02-150.inferit +- Modified to use MSVSphere Secure Boot certificates - Drop brackets from grub menu (INF-738) * Wed Jul 26 2023 MSVSphere Packaging Team - 2.02-150