commit: 7f808be26f24a5d938efb272e2d98cd5aa05ecda Author: Mike Gilbert <floppym <AT> gentoo <DOT> org> AuthorDate: Wed Nov 16 00:29:40 2022 +0000 Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> CommitDate: Wed Nov 16 00:29:40 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7f808be2
sys-boot/grub: backport security fixes Bug: https://bugs.gentoo.org/881413 Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org> sys-boot/grub/Manifest | 1 + sys-boot/grub/grub-2.06-r4.ebuild | 330 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 331 insertions(+) diff --git a/sys-boot/grub/Manifest b/sys-boot/grub/Manifest index 1629358f341f..591e617ac3ca 100644 --- a/sys-boot/grub/Manifest +++ b/sys-boot/grub/Manifest @@ -1,4 +1,5 @@ DIST dejavu-sans-ttf-2.37.zip 417746 BLAKE2B c8904f3cd5a49370a7dc10e456684c88aeae998a99090bf4d0a5baa4f36cc8fb8f70586cf6d610a5ffeee97261d28c80f55bbe9dcfc3ed796d5c2d60e79adb58 SHA512 ede5899daa1984c5aa8cacb1c850eb53f189dddef3d9bb78bf9774d8976b7c0d6eb0bcf86237cd7d11f5b36cf5b5058d42cd94d3bd76f2bd0931c7ceb1271fae DIST grub-2.06-backports-r1.tar.xz 31900 BLAKE2B d8320eff8cebc408b7c4845d17adf82470407fd3837ab8508703f0f3b2bf5271d6ea8ec2cdf57461e77dd9b69458e9a9d197b533029df3637aad3656b2968b65 SHA512 2487a305ca3f969ed735df0ef181cc7caceffcfaf0126dbd8cceb19ce1062952404f0e5deeaa4f9431cafa94c40c2d57c77da17ea3da4ff62592e42e852b107a +DIST grub-2.06-backports-r2.tar.xz 40416 BLAKE2B d9b4a8274a24aa35023eef7450bc4311045d0872250b1d11b1714b9daa32f7862fe1444b5b86db8b885a9f7b3af2459a5b2f87f0beaf4326a982fd96ec51d602 SHA512 99cf40b3d3d10cf6ba928ccc571c3a8baab217f650267fa7de4ba4ce807a895ff9414156647cc4dcb34bfbe48747a0c486bf60fee1c188a2dc89f26c2db3840f DIST grub-2.06.tar.xz 6581924 BLAKE2B 2a40b9b03d7bb3b9e7b1309ab274d686f01b3c42e7035ebc6e5a0e59a59c3b7362ba518341664b314cb0dbc8222bb10ea05ce09f08ce9d58a293207cb909e417 SHA512 4f11c648f3078567e53fc0c74d5026fdc6da4be27d188975e79d9a4df817ade0fe5ad2ddd694238a07edc45adfa02943d83c57767dd51548102b375e529e8efe DIST unifont-12.1.02.pcf.gz 1335424 BLAKE2B 97080312468e3f3c8aa6f49cef08f5622641e8c9c035f3ede1e09d8d98de4e78d3b23c8aba2e8070eb46cbebd2d55e8568e467d7f15f35aa8fc8db792b7e5f14 SHA512 b280b2db7cf5f480b0668c331130dede2c0cc87d5e02e44566b77787113d0f6604d0105522858288f2ac6b8e77df7a2d9878725013a6c778dc5bfb183156e2f0 diff --git a/sys-boot/grub/grub-2.06-r4.ebuild b/sys-boot/grub/grub-2.06-r4.ebuild new file mode 100644 index 000000000000..1c1d4ba535b5 --- /dev/null +++ b/sys-boot/grub/grub-2.06-r4.ebuild @@ -0,0 +1,330 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +# This ebuild uses 3 special global variables: +# GRUB_BOOTSTRAP: Depend on python and invoke bootstrap (gnulib). +# GRUB_AUTOGEN: Depend on python and invoke the autogen.sh. +# GRUB_AUTORECONF: Inherit autotools and invoke eautoreconf. +# +# When applying patches: +# If gnulib is updated, set GRUB_BOOTSTRAP=1 +# If *.def is updated, set GRUB_AUTOGEN=1 +# If gnulib, *.def, or any autotools files are updated, set GRUB_AUTORECONF=1 +# +# If any of the above applies to a user patch, the user should set the +# corresponding variable in make.conf or the environment. + +if [[ ${PV} == 9999 ]]; then + GRUB_BOOTSTRAP=1 +fi + +GRUB_AUTORECONF=1 +PYTHON_COMPAT=( python3_{8..11} ) +WANT_LIBTOOL=none + +if [[ -n ${GRUB_AUTOGEN} || -n ${GRUB_BOOTSTRAP} ]]; then + inherit python-any-r1 +fi + +if [[ -n ${GRUB_AUTORECONF} ]]; then + inherit autotools +fi + +inherit bash-completion-r1 flag-o-matic multibuild optfeature toolchain-funcs + +if [[ ${PV} != 9999 ]]; then + if [[ ${PV} == *_alpha* || ${PV} == *_beta* || ${PV} == *_rc* ]]; then + # The quote style is to work with <=bash-4.2 and >=bash-4.3 #503860 + MY_P=${P/_/'~'} + SRC_URI="https://alpha.gnu.org/gnu/${PN}/${MY_P}.tar.xz"; + S=${WORKDIR}/${MY_P} + else + SRC_URI="mirror://gnu/${PN}/${P}.tar.xz" + S=${WORKDIR}/${P%_*} + fi + KEYWORDS="~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~riscv ~sparc ~x86" +else + inherit git-r3 + EGIT_REPO_URI="https://git.savannah.gnu.org/git/grub.git"; +fi + +SRC_URI+=" https://dev.gentoo.org/~floppym/dist/grub-2.06-backports-r2.tar.xz"; + +PATCHES=( + "${WORKDIR}/${P}-backports" + "${FILESDIR}"/gfxpayload.patch + "${FILESDIR}"/grub-2.02_beta2-KERNEL_GLOBS.patch + "${FILESDIR}"/grub-2.06-test-words.patch + "${FILESDIR}"/grub-2.06-grub-mkconfig-restore-umask.patch +) + +DEJAVU=dejavu-sans-ttf-2.37 +UNIFONT=unifont-12.1.02 +SRC_URI+=" fonts? ( mirror://gnu/unifont/${UNIFONT}/${UNIFONT}.pcf.gz ) + themes? ( mirror://sourceforge/dejavu/${DEJAVU}.zip )" + +DESCRIPTION="GNU GRUB boot loader" +HOMEPAGE="https://www.gnu.org/software/grub/"; + +# Includes licenses for dejavu and unifont +LICENSE="GPL-3+ BSD MIT fonts? ( GPL-2-with-font-exception ) themes? ( CC-BY-SA-3.0 BitstreamVera )" +SLOT="2/${PVR}" +IUSE="device-mapper doc efiemu +fonts mount nls sdl test +themes truetype libzfs" + +GRUB_ALL_PLATFORMS=( coreboot efi-32 efi-64 emu ieee1275 loongson multiboot qemu qemu-mips pc uboot xen xen-32 xen-pvh ) +IUSE+=" ${GRUB_ALL_PLATFORMS[@]/#/grub_platforms_}" + +REQUIRED_USE=" + grub_platforms_coreboot? ( fonts ) + grub_platforms_qemu? ( fonts ) + grub_platforms_ieee1275? ( fonts ) + grub_platforms_loongson? ( fonts ) +" + +BDEPEND=" + ${PYTHON_DEPS} + sys-devel/flex + sys-devel/bison + sys-apps/help2man + sys-apps/texinfo + fonts? ( + media-libs/freetype:2 + virtual/pkgconfig + ) + test? ( + app-admin/genromfs + app-arch/cpio + app-arch/lzop + app-emulation/qemu + dev-libs/libisoburn + sys-apps/miscfiles + sys-block/parted + sys-fs/squashfs-tools + ) + themes? ( + app-arch/unzip + media-libs/freetype:2 + virtual/pkgconfig + ) + truetype? ( virtual/pkgconfig ) +" +DEPEND=" + app-arch/xz-utils + >=sys-libs/ncurses-5.2-r5:0= + grub_platforms_emu? ( + sdl? ( media-libs/libsdl ) + ) + device-mapper? ( >=sys-fs/lvm2-2.02.45 ) + libzfs? ( sys-fs/zfs:= ) + mount? ( sys-fs/fuse:0 ) + truetype? ( media-libs/freetype:2= ) + ppc? ( >=sys-apps/ibm-powerpc-utils-1.3.5 ) + ppc64? ( >=sys-apps/ibm-powerpc-utils-1.3.5 ) +" +RDEPEND="${DEPEND} + kernel_linux? ( + grub_platforms_efi-32? ( sys-boot/efibootmgr ) + grub_platforms_efi-64? ( sys-boot/efibootmgr ) + ) + !sys-boot/grub:0 + nls? ( sys-devel/gettext ) +" + +RESTRICT="!test? ( test )" + +QA_EXECSTACK="usr/bin/grub-emu* usr/lib/grub/*" +QA_PRESTRIPPED="usr/lib/grub/.*" +QA_MULTILIB_PATHS="usr/lib/grub/.*" +QA_WX_LOAD="usr/lib/grub/*" + +pkg_setup() { + : +} + +src_unpack() { + if [[ ${PV} == 9999 ]]; then + git-r3_src_unpack + pushd "${P}" >/dev/null || die + local GNULIB_URI="https://git.savannah.gnu.org/git/gnulib.git"; + local GNULIB_REVISION=$(source bootstrap.conf >/dev/null; echo "${GNULIB_REVISION}") + git-r3_fetch "${GNULIB_URI}" "${GNULIB_REVISION}" + git-r3_checkout "${GNULIB_URI}" gnulib + popd >/dev/null || die + fi + default +} + +src_prepare() { + default + + sed -i -e /autoreconf/d autogen.sh || die + + if [[ -n ${GRUB_AUTOGEN} || -n ${GRUB_BOOTSTRAP} ]]; then + python_setup + else + export PYTHON=true + fi + + if [[ -n ${GRUB_BOOTSTRAP} ]]; then + eautopoint --force + AUTOPOINT=: AUTORECONF=: ./bootstrap || die + elif [[ -n ${GRUB_AUTOGEN} ]]; then + ./autogen.sh || die + fi + + if [[ -n ${GRUB_AUTORECONF} ]]; then + eautoreconf + fi +} + +grub_do() { + multibuild_foreach_variant run_in_build_dir "$@" +} + +grub_do_once() { + multibuild_for_best_variant run_in_build_dir "$@" +} + +grub_configure() { + local platform + + case ${MULTIBUILD_VARIANT} in + efi*) platform=efi ;; + xen-pvh) platform=xen_pvh ;; + xen*) platform=xen ;; + guessed) ;; + *) platform=${MULTIBUILD_VARIANT} ;; + esac + + case ${MULTIBUILD_VARIANT} in + *-32) + if [[ ${CTARGET:-${CHOST}} == x86_64* ]]; then + local CTARGET=i386 + fi ;; + *-64) + if [[ ${CTARGET:-${CHOST}} == i?86* ]]; then + local CTARGET=x86_64 + local -x TARGET_CFLAGS="-Os -march=x86-64 ${TARGET_CFLAGS}" + local -x TARGET_CPPFLAGS="-march=x86-64 ${TARGET_CPPFLAGS}" + fi ;; + esac + + local myeconfargs=( + --disable-werror + --program-prefix= + --libdir="${EPREFIX}"/usr/lib + $(use_enable device-mapper) + $(use_enable mount grub-mount) + $(use_enable nls) + $(use_enable themes grub-themes) + $(use_enable truetype grub-mkfont) + $(use_enable libzfs) + $(use_enable sdl grub-emu-sdl) + ${platform:+--with-platform=}${platform} + + # Let configure detect this where supported + $(usex efiemu '' '--disable-efiemu') + ) + + if use fonts; then + ln -rs "${WORKDIR}/${UNIFONT}.pcf" unifont.pcf || die + fi + + if use themes; then + ln -rs "${WORKDIR}/${DEJAVU}/ttf/DejaVuSans.ttf" DejaVuSans.ttf || die + fi + + local ECONF_SOURCE="${S}" + econf "${myeconfargs[@]}" +} + +src_configure() { + # Bug 508758. + replace-flags -O3 -O2 + + # Workaround for bug 829165. + filter-ldflags -pie + + # We don't want to leak flags onto boot code. + export HOST_CCASFLAGS=${CCASFLAGS} + export HOST_CFLAGS=${CFLAGS} + export HOST_CPPFLAGS=${CPPFLAGS} + export HOST_LDFLAGS=${LDFLAGS} + unset CCASFLAGS CFLAGS CPPFLAGS LDFLAGS + + tc-ld-disable-gold #439082 #466536 #526348 + export TARGET_LDFLAGS="${TARGET_LDFLAGS} ${LDFLAGS}" + unset LDFLAGS + + tc-export CC NM OBJCOPY RANLIB STRIP + tc-export BUILD_CC BUILD_PKG_CONFIG + + MULTIBUILD_VARIANTS=() + local p + for p in "${GRUB_ALL_PLATFORMS[@]}"; do + use "grub_platforms_${p}" && MULTIBUILD_VARIANTS+=( "${p}" ) + done + [[ ${#MULTIBUILD_VARIANTS[@]} -eq 0 ]] && MULTIBUILD_VARIANTS=( guessed ) + grub_do grub_configure +} + +src_compile() { + # Sandbox bug 404013. + use libzfs && addpredict /etc/dfs:/dev/zfs + + grub_do emake + use doc && grub_do_once emake -C docs html +} + +src_test() { + # The qemu dependency is a bit complex. + # You will need to adjust QEMU_SOFTMMU_TARGETS to match the cpu/platform. + grub_do emake check +} + +src_install() { + grub_do emake install DESTDIR="${D}" bashcompletiondir="$(get_bashcompdir)" + use doc && grub_do_once emake -C docs install-html DESTDIR="${D}" + + einstalldocs + + insinto /etc/default + newins "${FILESDIR}"/grub.default-3 grub + + # https://bugs.gentoo.org/231935 + dostrip -x /usr/lib/grub +} + +pkg_postinst() { + elog "For information on how to configure GRUB2 please refer to the guide:" + elog " https://wiki.gentoo.org/wiki/GRUB2_Quick_Start"; + + if [[ -n ${REPLACING_VERSIONS} ]]; then + local v + for v in ${REPLACING_VERSIONS}; do + if ver_test -gt ${v}; then + ewarn + ewarn "Re-run grub-install to update installed boot code!" + ewarn + break + fi + done + else + elog + optfeature "detecting other operating systems (grub-mkconfig)" sys-boot/os-prober + optfeature "creating rescue media (grub-mkrescue)" dev-libs/libisoburn + optfeature "enabling RAID device detection" sys-fs/mdadm + fi + + if has_version 'sys-boot/grub:0'; then + elog "A migration guide for GRUB Legacy users is available:" + elog " https://wiki.gentoo.org/wiki/GRUB2_Migration"; + fi + + if has_version sys-boot/os-prober; then + ewarn "Due to security concerns, os-prober is disabled by default." + ewarn "Set GRUB_DISABLE_OS_PROBER=false in /etc/default/grub to enable it." + fi +}
