commit grub2 for openSUSE:Factory
Hello community,
here is the log from the commit of package grub2 for openSUSE:Factory checked in at 2012-11-28 10:34:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/grub2 (Old)
and /work/SRC/openSUSE:Factory/.grub2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grub2", Maintainer is ""
Changes:
--------
--- /work/SRC/openSUSE:Factory/grub2/grub2.changes 2012-11-21 16:53:34.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.grub2.new/grub2.changes 2012-11-28 10:34:05.000000000 +0100
@@ -1,0 +2,36 @@
+Mon Nov 26 08:26:10 UTC 2012 - mchang@suse.com
+
+- ship a Secure Boot UEFI compatible bootloader (fate#314485)
+- added secureboot patches which introduces new linuxefi module
+ that is able to perform verifying signed images via exported
+ protocol from shim. The insmod command will not function if
+ secure boot enabled (as all modules should built in grub.efi
+ and signed).
+ - grub2-secureboot-add-linuxefi.patch
+ - grub2-secureboot-use-linuxefi-on-uefi.patch
+ - grub2-secureboot-no-insmod-on-sb.patch
+ - grub2-secureboot-provide-linuxefi-config.patch
+- Makefile.core.am : support building linuxefi module
+- Make grub.efi image that is with all relevant modules incorporated
+ and signed, it will be the second stage to the shim loader which
+ will verified it when secureboot enabled.
+- Make grub.efi's path to align with shim loader's default loader
+ lookup path.
+- The changes has been verified not affecting any factory instalation,
+ but will allow us to run & test secure boot setup manually with shim.
+
+-------------------------------------------------------------------
+Thu Nov 22 07:01:31 UTC 2012 - mchang@suse.com
+
+- ship a Secure Boot UEFI compatible bootloader (fate#314485)
+- In SLE-11 SP3, don't include any other architecture binaries
+ except EFI, so we split packages by architecture binaries to
+ meet the requirement.
+ - grub2 : common utilties and config etc
+ - grub2-efi : provide compatibilty to grub2-efi package
+ - grub2-i386-pc : binaries for x86 legacy pc firmware
+ - grub2-i386-efi : binaries for ia32 EFI firmware
+ - grub2-x86_64-efi : binaries for x86_64 firmware
+ - grub2-powerpc-ieee1275: binaries for powerpc open firmware
+
+-------------------------------------------------------------------
New:
----
grub2-secureboot-add-linuxefi.patch
grub2-secureboot-no-insmod-on-sb.patch
grub2-secureboot-provide-linuxefi-config.patch
grub2-secureboot-use-linuxefi-on-uefi.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ grub2.spec ++++++
--- /var/tmp/diff_new_pack.YyeckE/_old 2012-11-28 10:34:08.000000000 +0100
+++ /var/tmp/diff_new_pack.YyeckE/_new 2012-11-28 10:34:08.000000000 +0100
@@ -52,22 +52,43 @@
%define _libdir %{_exec_prefix}/lib
%ifarch ppc ppc64
+%define grubcpu powerpc
%define platform ieee1275
-%else
-%define platform pc
%endif
%ifarch %{ix86} x86_64
%define grubcpu i386
-%else
-%define grubcpu %{_target_cpu}
+%define platform pc
%endif
+%define grubarch %{grubcpu}-%{platform}
+
# build efi bootloader on some platforms only:
%if ! 0%{?efi}
%global efi %{ix86} x86_64 ia64
%endif
+%ifarch %{efi}
+%ifarch %{ix86}
+%define grubefiarch i386-efi
+%else
+%define grubefiarch %{_target_cpu}-efi
+%endif
+%endif
+
+%if 0%{?sles_version} == 11
+%define only_efi %{nil}
+%define only_x86_64 %{nil}
+%endif
+
+%if 0%{?sles_version}
+%global efidir SuSE
+%else
+%if 0%{?suse_version}
+%global efidir opensuse
+%endif
+%endif
+
Version: 2.00
Release: 0
Summary: Bootloader with support for Linux, Multiboot and more
@@ -106,6 +127,10 @@
Patch18: grub2-fix-locale-en.mo.gz-not-found-error-message.patch
Patch19: grub2-fix-build-error-on-flex-2.5.37.patch
Patch20: grub2-quote-messages-in-grub.cfg.patch
+Patch21: grub2-secureboot-add-linuxefi.patch
+Patch22: grub2-secureboot-use-linuxefi-on-uefi.patch
+Patch23: grub2-secureboot-no-insmod-on-sb.patch
+Patch24: grub2-secureboot-provide-linuxefi-config.patch
PreReq: perl-Bootloader
Requires: gettext-runtime
%if 0%{?suse_version} >= 1140
@@ -113,10 +138,17 @@
%endif
Requires(post): /sbin/install-info
Requires(preun):/sbin/install-info
+%if ! 0%{?only_efi:1}
+Requires: grub2-%{grubarch} = %{version}-%{release}
+%endif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
+%if 0%{?only_x86_64:1}
+ExclusiveArch: x86_64
+%else
ExclusiveArch: %{ix86} x86_64 ppc ppc64
+%endif
%description
This is the second version of the GRUB (Grand Unified Bootloader),
@@ -130,23 +162,47 @@
with it unless you know what are you doing. Refer to README.openSUSE
file that is part of this package's documentation for more information.
+%package %{grubarch}
+
+Summary: GRUB2 for %{platform} systems
+Group: System/Boot
+
+%description %{grubarch}
+The GRand Unified Bootloader (GRUB) is a highly configurable and customizable
+bootloader with modular architecture. It supports rich variety of kernel formats,
+file systems, computer architectures and hardware devices. This subpackage
+provides support for %{platform} systems.
+
%ifarch %{efi}
%package efi
Summary: GRUB2 for EFI systems
Group: System/Boot
+PreReq: %{name} = %{version}-%{release}
+PreReq: %{name}-%{grubefiarch} = %{version}-%{release}
+
+%description efi
+The GRand Unified Bootloader (GRUB) is a highly configurable and customizable
+bootloader with modular architecture. It supports rich variety of kernel formats,
+file systems, computer architectures and hardware devices. This subpackage
+provides compatibility to old package and install new required one.
+
+%package %{grubefiarch}
+
+Summary: GRUB2 for EFI systems
+Group: System/Boot
%ifarch ia64 x86_64
#Package is available on ia64 and x86_64 only and not necessarily needed
Requires: efibootmgr
%endif
-Requires: grub2 = %{version}-%{release}
-%description efi
+%description %{grubefiarch}
The GRand Unified Bootloader (GRUB) is a highly configurable and customizable
bootloader with modular architecture. It supports rich variety of kernel formats,
file systems, computer architectures and hardware devices. This subpackage
provides support for EFI systems.
+
%endif
%prep
@@ -182,6 +238,10 @@
%patch18 -p1
%patch19 -p1
%patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
cd ..
# README.openSUSE
@@ -207,17 +267,32 @@
--with-platform=efi \
--program-transform-name=s,grub,%{name},
make %{?_smp_mflags}
-%ifarch %{ix86}
-%define grubefiarch i386-efi
+
+#TODO: add efifwsetup module
+
+FS_MODULES="ext2 fat btrfs ext2 xfs jfs reiserfs"
+CD_MODULES=" all_video boot cat chain configfile echo \
+ efinet ext2 font gfxmenu gfxterm gzio halt iso9660 \
+ jpeg minicmd normal part_apple part_msdos part_gpt \
+ password_pbkdf2 png reboot search search_fs_uuid \
+ search_fs_file search_label sleep test video"
+
+%ifarch x86_64
+CD_MODULES="${CD_MODULES} linuxefi"
%else
-%define grubefiarch %{_arch}-efi
+CD_MODULES="${CD_MODULES} linux"
%endif
-./grub-mkimage -O %{grubefiarch} -o grub.efi -d grub-core part_gpt hfsplus fat \
- ext2 btrfs normal chain boot configfile linux appleldr minicmd \
- loadbios reboot halt search font gfxterm
+
+GRUB_MODULES="${CD_MODULES} ${FS_MODULES} mdraid09 mdraid1x"
+./grub-mkimage -O %{grubefiarch} -o grub.efi -p /EFI/%{efidir} \
+ -d grub-core ${GRUB_MODULES}
+#./grub-mkimage -O %{grubefiarch} -o grub.efi -d grub-core part_gpt hfsplus fat \
+# ext2 btrfs normal chain boot configfile linux appleldr minicmd \
+# loadbios reboot halt search font gfxterm
cd ..
%endif
+%if ! 0%{?only_efi:1}
cd grub-%{version}
autoreconf -vi
@@ -246,20 +321,25 @@
--program-transform-name=s,grub,%{name},
make %{?_smp_mflags}
+%endif
%install
%ifarch %{efi}
cd grub-efi-%{version}
make DESTDIR=$RPM_BUILD_ROOT install
-install -m 755 -d $RPM_BUILD_ROOT/boot/efi/EFI/opensuse/
-install -m 755 grub.efi $RPM_BUILD_ROOT/boot/efi/EFI/opensuse/grub.efi
+install -m 755 -d $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
+install -m 755 grub.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/grub.efi
cd ..
%endif
+%if ! 0%{?only_efi:1}
cd grub-%{version}
make DESTDIR=$RPM_BUILD_ROOT install
+%else
+cd grub-efi-%{version}
+%endif
# Script that makes part of grub.cfg persist across updates
install -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/grub.d/
@@ -296,6 +376,7 @@
/sbin/install-info %{_infodir}/grub-dev.info %{_infodir}/dir || :
/sbin/install-info %{_infodir}/%{name}.info %{_infodir}/dir || :
+%if ! 0%{?only_efi:1}
# To check by current loader settings
if [ -f %{_sysconfdir}/sysconfig/bootloader ]; then
. %{_sysconfdir}/sysconfig/bootloader
@@ -333,6 +414,8 @@
# It's enought to call update-bootloader --refesh to install grub2 and update it's config
/sbin/update-bootloader --refresh || true
fi
+%endif
+
%ifarch %{efi}
@@ -406,6 +489,7 @@
/sbin/install-info --delete %{_infodir}/grub-dev.info %{_infodir}/dir || :
/sbin/install-info --delete %{_infodir}/%{name}.info %{_infodir}/dir || :
+%if ! 0%{?only_efi:1}
# To check by current loader settings
if [ -f %{_sysconfdir}/sysconfig/bootloader ]; then
. %{_sysconfdir}/sysconfig/bootloader
@@ -433,13 +517,19 @@
# we have no idea what's been installed. (And a blind remove is dangerous
# to remove user's or other package's file accidently ..)
fi
+%endif
fi
+%if 0%{?only_efi:1}
+%define source_dir grub-efi-%{version}
+%else
+%define source_dir grub-%{version}
+%endif
-%files -f grub-%{version}/%{name}.lang
+%files -f %{source_dir}/%{name}.lang
%defattr(-,root,root,-)
-%doc grub-%{version}/COPYING grub-%{version}/NEWS grub-%{version}/README
-%doc grub-%{version}/THANKS grub-%{version}/TODO grub-%{version}/ChangeLog
-%doc grub-%{version}/README.openSUSE
+%doc %{source_dir}/COPYING %{source_dir}/NEWS %{source_dir}/README
+%doc %{source_dir}/THANKS %{source_dir}/TODO %{source_dir}/ChangeLog
+%doc %{source_dir}/README.openSUSE
%dir /boot/%{name}
%ghost /boot/%{name}/grub.cfg
%{_sysconfdir}/bash_completion.d/grub
@@ -470,22 +560,7 @@
%{_bindir}/%{name}-mkstandalone
%{_bindir}/%{name}-mount
%{_bindir}/%{name}-script-check
-%dir %{_libdir}/%{name}/
-%dir %{_libdir}/%{name}/%{grubcpu}-%{platform}/
-%ifnarch ppc ppc64
-%{_libdir}/%{name}/%{grubcpu}-%{platform}/*.image
-%endif
-%{_libdir}/%{name}/%{grubcpu}-%{platform}/*.img
-%{_libdir}/%{name}/%{grubcpu}-%{platform}/*.lst
-%{_libdir}/%{name}/%{grubcpu}-%{platform}/*.mod
-%{_libdir}/%{name}/%{grubcpu}-%{platform}/*.module
-%ifarch x86_64
-%{_libdir}/%{name}/%{grubcpu}-%{platform}/efiemu*.o
-%endif
-%{_libdir}/%{name}/%{grubcpu}-%{platform}/gdb_grub2
-%{_libdir}/%{name}/%{grubcpu}-%{platform}/gmodule.pl
-%{_libdir}/%{name}/%{grubcpu}-%{platform}/kernel.exec
-%{_libdir}/%{name}/%{grubcpu}-%{platform}/modinfo.sh
+%dir %{_libdir}/%{name}
%dir %{_datadir}/%{name}
%if 0%{?suse_version} >= 1140
%{_datadir}/%{name}/*.pf2
@@ -494,20 +569,43 @@
%{_infodir}/grub-dev.info*
%{_infodir}/%{name}.info*
-%ifarch %{efi}
+%if ! 0%{?only_efi:1}
+%files %{grubarch}
+%defattr(-,root,root,-)
+%dir %{_libdir}/%{name}/%{grubarch}
+%ifnarch ppc ppc64
+%{_libdir}/%{name}/%{grubarch}/*.image
+%endif
+%{_libdir}/%{name}/%{grubarch}/*.img
+%{_libdir}/%{name}/%{grubarch}/*.lst
+%{_libdir}/%{name}/%{grubarch}/*.mod
+%{_libdir}/%{name}/%{grubarch}/*.module
+%ifarch x86_64
+%{_libdir}/%{name}/%{grubarch}/efiemu*.o
+%endif
+%{_libdir}/%{name}/%{grubarch}/gdb_grub2
+%{_libdir}/%{name}/%{grubarch}/gmodule.pl
+%{_libdir}/%{name}/%{grubarch}/kernel.exec
+%{_libdir}/%{name}/%{grubarch}/modinfo.sh
+%endif
+%ifarch %{efi}
%files efi
%defattr(-,root,root,-)
-%dir /boot/efi
-%dir /boot/efi/EFI
-%dir /boot/efi/EFI/opensuse
-%attr(0755,root,root)/boot/efi/EFI/opensuse/grub.efi
+%doc %{source_dir}/README
%ghost /boot/grub2-efi
%{_sbindir}/grub2-efi-install
%{_sbindir}/grub2-efi-mkconfig
%{_sbindir}/grub2-efi-set-default
%{_bindir}/grub2-efi-editenv
-%dir %{_libdir}/%{name}/%{grubefiarch}/
+
+%files %{grubefiarch}
+%defattr(-,root,root,-)
+%dir /boot/efi
+%dir /boot/efi/EFI
+%dir /boot/efi/EFI/%{efidir}
+%attr(0755,root,root)/boot/efi/EFI/%{efidir}/grub.efi
+%dir %{_libdir}/%{name}/%{grubefiarch}
%{_libdir}/%{name}/%{grubefiarch}/*.img
%{_libdir}/%{name}/%{grubefiarch}/*.lst
%{_libdir}/%{name}/%{grubefiarch}/*.mod
@@ -517,5 +615,3 @@
%{_libdir}/%{name}/%{grubefiarch}/kernel.exec
%{_libdir}/%{name}/%{grubefiarch}/modinfo.sh
%endif
-
-%changelog
++++++ Makefile.core.am ++++++
--- /var/tmp/diff_new_pack.YyeckE/_old 2012-11-28 10:34:08.000000000 +0100
+++ /var/tmp/diff_new_pack.YyeckE/_new 2012-11-28 10:34:08.000000000 +0100
@@ -37479,6 +37479,28 @@
grep 'MARKER' $@.new > $@; rm -f $@.new
endif
+if COND_x86_64_efi
+platform_PROGRAMS += linuxefi.module
+MODULE_FILES += linuxefi.module$(EXEEXT)
+linuxefi_module_SOURCES = loader/i386/efi/linux.c lib/cmdline.c ## platform sources
+nodist_linuxefi_module_SOURCES = ## platform nodist sources
+linuxefi_module_LDADD =
+linuxefi_module_CFLAGS = $(AM_CFLAGS) $(CFLAGS_MODULE)
+linuxefi_module_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_MODULE)
+linuxefi_module_CPPFLAGS = $(AM_CPPFLAGS) $(CPPFLAGS_MODULE)
+linuxefi_module_CCASFLAGS = $(AM_CCASFLAGS) $(CCASFLAGS_MODULE)
+EXTRA_DIST +=
+BUILT_SOURCES += $(nodist_linuxefi_module_SOURCES)
+CLEANFILES += $(nodist_linuxefi_module_SOURCES)
+MOD_FILES += linuxefi.mod
+MARKER_FILES += linuxefi.marker
+CLEANFILES += linuxefi.marker
+
+linuxefi.marker: $(linuxefi_module_SOURCES) $(nodist_linuxefi_module_SOURCES)
+ $(TARGET_CPP) -DGRUB_LST_GENERATOR $(CPPFLAGS_MARKER) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(linuxefi_module_CPPFLAGS) $(CPPFLAGS) $^ > $@.new || (rm -f $@; exit 1)
+ grep 'MARKER' $@.new > $@; rm -f $@.new
+endif
+
if COND_i386_pc
platform_PROGRAMS += chain.module
MODULE_FILES += chain.module$(EXEEXT)
++++++ grub2-secureboot-add-linuxefi.patch ++++++
From: Matthew Garrett
From 7a65d7b558974c89f19afaf0d78b54dc0327f56c Mon Sep 17 00:00:00 2001 From: Matthew Garrett
Date: Wed, 15 Aug 2012 09:53:05 -0400 Subject: [PATCH] Don't permit insmod on secure boot
References: fate#314485
Patch-Mainline: no
Signed-off-by: Michael Chang
From 795ac61cba9674376d745813efdab395e35cff41 Mon Sep 17 00:00:00 2001 From: Michael Chang
Date: Mon, 26 Nov 2012 15:38:54 +0800 Subject: [PATCH] provide option in config to enable linuxefi
References: fate#314485 Patch-Mainline: no As linuxefi module requires kernel 3.6 or later which supports EFI handover protocol, it may not be able to load kernels without that supports in place. In case that things would break, and the linuxefi is really too young to take over the position of "linux" kernel loader module, we introduce a option GRUB_USE_LINUXEFI in the config and only explicit set it to true will enable it. Example usage is GRUB_USE_LINUXEFI=true grub2-mkconfig -o /boot/efi/EFI/opensuse/grub.cfg This will output a grub.cfg which uses linuxefi in replace of linux and enable verification of kernel signature if in secureboot enabled and has shim exported protocols available. --- util/grub-mkconfig.in | 3 ++- util/grub.d/10_linux.in | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in index d789fcc..6555944 100644 --- a/util/grub-mkconfig.in +++ b/util/grub-mkconfig.in @@ -244,7 +244,8 @@ export GRUB_DEFAULT \ GRUB_SAVEDEFAULT \ GRUB_ENABLE_CRYPTODISK \ GRUB_BADRAM \ - GRUB_CMDLINE_LINUX_RECOVERY + GRUB_CMDLINE_LINUX_RECOVERY \ + GRUB_USE_LINUXEFI if test "x${grub_cfg}" != "x"; then rm -f "${grub_cfg}.new" diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in index 807a0db..b2f65c0 100644 --- a/util/grub.d/10_linux.in +++ b/util/grub.d/10_linux.in @@ -133,7 +133,7 @@ linux_entry () printf '%s\n' "${prepare_boot_cache}" | sed "s/^/$submenu_indentation/" fi message="$(gettext_printf "Loading Linux %s ..." ${version})" - if [ -d /sys/firmware/efi ]; then + if [ -d /sys/firmware/efi ] && [ "x${GRUB_USE_LINUXEFI}" = "xtrue" ]; then sed "s/^/$submenu_indentation/" << EOF echo '$message' linuxefi ${rel_dirname}/${basename} root=${linux_root_device_thisversion} ro ${args} @@ -147,7 +147,7 @@ EOF if test -n "${initrd}" ; then # TRANSLATORS: ramdisk isn't identifier. Should be translated. message="$(gettext_printf "Loading initial ramdisk ...")" - if [ -d /sys/firmware/efi ]; then + if [ -d /sys/firmware/efi ] && [ "x${GRUB_USE_LINUXEFI}" = "xtrue" ]; then sed "s/^/$submenu_indentation/" << EOF echo '$message' initrdefi ${rel_dirname}/${initrd} -- 1.7.3.4 ++++++ grub2-secureboot-use-linuxefi-on-uefi.patch ++++++
From 151b1691fe0cf885df101c6e6a7cb1defc50428b Mon Sep 17 00:00:00 2001 From: Peter Jones
Date: Mon, 16 Jul 2012 18:57:11 -0400 Subject: [PATCH] Use "linuxefi" and "initrdefi" where appropriate
References: fate#314485
Patch-Mainline: no
Signed-off-by: Michael Chang
participants (1)
-
root@hilbert.suse.de