commit grub2 for openSUSE:Leap:15.2

root Sat, 14 Mar 2020 23:11:28 -0700

Hello community,

here is the log from the commit of package grub2 for openSUSE:Leap:15.2 checked 
in at 2020-03-15 07:11:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2/grub2 (Old)
 and      /work/SRC/openSUSE:Leap:15.2/.grub2.new.3160 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "grub2"

Sun Mar 15 07:11:02 2020 rev:79 rq:783544 version:2.04

Changes:
--------
--- /work/SRC/openSUSE:Leap:15.2/grub2/grub2.changes    2020-02-27 
06:40:47.685521054 +0100
+++ /work/SRC/openSUSE:Leap:15.2/.grub2.new.3160/grub2.changes  2020-03-15 
07:11:14.928959318 +0100
@@ -1,0 +2,6 @@
+Fri Feb 28 16:36:57 UTC 2020 - [email protected]
+
+- Add secure boot support for s390x.  (jsc#SLE-9425)
+  * grub2-s390x-11-secureboot.patch
+
+-------------------------------------------------------------------

New:
----
  grub2-s390x-11-secureboot.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ grub2.spec ++++++
--- /var/tmp/diff_new_pack.1rsqvZ/_old  2020-03-15 07:11:16.300960139 +0100
+++ /var/tmp/diff_new_pack.1rsqvZ/_new  2020-03-15 07:11:16.304960142 +0100
@@ -279,6 +279,7 @@
 # and/or use fallback entry if default kernel entry removed (bsc#1065349)
 Patch430:       grub2-mkconfig-default-entry-correction.patch
 Patch431:       grub2-s390x-10-keep-network-at-kexec.patch
+Patch432:       grub2-s390x-11-secureboot.patch
 # Support for UEFI Secure Boot on AArch64 (FATE#326541)
 Patch450:       grub2-secureboot-install-signed-grub.patch
 Patch501:       grub2-btrfs-help-on-snapper-rollback.patch
@@ -553,6 +554,7 @@
 %patch421 -p1
 %patch430 -p1
 %patch431 -p1
+%patch432 -p1
 %patch450 -p1
 %patch501 -p1
 %patch510 -p1


++++++ grub2-s390x-11-secureboot.patch ++++++
---
 grub-core/loader/emu/linux.c  |    4 ++--
 util/s390x/dracut-grub2.sh.in |   14 ++++++++++++--
 util/s390x/zipl2grub.conf.in  |    1 +
 util/s390x/zipl2grub.pl.in    |   31 ++++++++++++++++++++++---------
 4 files changed, 37 insertions(+), 13 deletions(-)

--- a/grub-core/loader/emu/linux.c
+++ b/grub-core/loader/emu/linux.c
@@ -38,7 +38,7 @@ grub_linux_boot (void)
 {
   grub_err_t rc = GRUB_ERR_NONE;
   char *initrd_param;
-  const char *kexec[] = { "kexec", "-l", kernel_path, boot_cmdline, NULL, NULL 
};
+  const char *kexec[] = { "kexec", "-la", kernel_path, boot_cmdline, NULL, 
NULL };
   const char *systemctl[] = { "systemctl", "kexec", NULL };
   int kexecute = grub_util_get_kexecute();
 
@@ -51,7 +51,7 @@ grub_linux_boot (void)
     //return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("initrd required!"));
   }
 
-  grub_printf("%serforming 'kexec -l %s %s %s'\n",
+  grub_printf("%serforming 'kexec -la %s %s %s'\n",
        (kexecute) ? "P" : "Not p",
        kernel_path, initrd_param, boot_cmdline);
 
--- a/util/s390x/dracut-grub2.sh.in
+++ b/util/s390x/dracut-grub2.sh.in
@@ -18,6 +18,9 @@ if getargbool 0 initgrub && [ ! -e /grub
    done < /proc/mounts
    echo $rofs
   }
+  checkcat() {
+    [ -r $1 ] && cat $1
+  }
   checkd() {
     [ -d $1 ] && echo true || echo false
   }
@@ -63,6 +66,7 @@ if getargbool 0 initgrub && [ ! -e /grub
     export grub2bootfs=$(checkboot)
     export grub2devfs=$(checkd /sysroot/dev/disk)
     export grub2snap=$(checksnap)
+    export grub2secure=$(checkcat /sys/firmware/ipl/secure)
     debug "" export -p
 
         _ctty="$(RD_DEBUG= getarg rd.ctty=)" && _ctty="/dev/${_ctty##*/}"
@@ -93,7 +97,7 @@ if getargbool 0 initgrub && [ ! -e /grub
     debug "Trying grub2-emu (ro=$grub2rofs, TERM=$TERM, ctty=$_ctty)..."
     setsid $CTTY -- chroot /sysroot $bindir/grub2-emu -X -X 0<>$_ctty 1>&0 2>&0
 
-    if [ -x /sysroot@libdir@/grub2/zipl-refresh ]; then
+    if [ "$grub2secure" != 1 ]&&[ -x /sysroot@libdir@/grub2/zipl-refresh ]; 
then
        setsid $CTTY -- /sysroot@libdir@/grub2/zipl-refresh 0<>$_ctty 1>&0 2>&0
        if [ $? != 0 ]; then
            warn "Not continuing"
@@ -103,12 +107,18 @@ if getargbool 0 initgrub && [ ! -e /grub
            sleep 3
            reboot
        fi
-    else
+    elif [ "$grub2secure" != 1 ]; then
        echo "
   Attention: 'grub2' failed to start the target kernel and 'zipl-refresh'
   is not available.  This should never happen.  Please contact support." >& 
$_ctty
        warn "Not continuing"
        emergency_shell -n grub2-emu-kexec
+    else
+       echo "
+  Attention: 'grub2' failed to start the target kernel and secure boot seems
+  active.  Automatic recovery not available.  Please contact support." >& 
$_ctty
+       warn "Not continuing"
+       emergency_shell -n grub2-emu-kexec
     fi
 
     $grub2snap || umount /sysroot/.snapshots
--- a/util/s390x/zipl2grub.conf.in
+++ b/util/s390x/zipl2grub.conf.in
@@ -45,6 +45,7 @@ defaultmenu = menu
     timeout = 60
     default = 1
     prompt = 0
+    secure = @SUSE_SECURE_BOOT@
     1 = grub2
     2 = skip-grub2
     3 = grub2-mem1G
--- a/util/s390x/zipl2grub.pl.in
+++ b/util/s390x/zipl2grub.pl.in
@@ -21,6 +21,7 @@ my $miss = 0;
 my $cfg = "";
 my %fsdev = ();
 my %fstype = ();
+my %SBL = (); # key/value of $sysconfbl
 
 my %C = (
   GRUB_CMDLINE_LINUX_DEFAULT => "quiet splash=silent",
@@ -251,6 +252,15 @@ if ( -r $default ) {
   }
   close( IN);
 }
+if ( -r $sysconfbl ) {
+  open( IN, "< $sysconfbl") ||  die;
+  while ( <IN> ) {
+    next if ( m{^\s*#} );
+    next unless ( m{^\s*([^=#\s]+)="(.*)"(?:\s*|\s+#.*)$} );
+    $SBL{$1} = $2;
+  }
+  close( IN);
+}
 if ( -r "/etc/fstab" ) {
   my $regex = qr{^(\S+)\s+(\S+)\s+(\S+)\s+\S+\s+\S+\s+\S+\s*(?:#.*)?$};
   open( IN, "< /etc/fstab") || die;
@@ -313,21 +323,21 @@ if ( ! exists( $C{GRUB_DEVICE}) ) {
   }
 }
 if ( $C{GRUB_CMDLINE_LINUX_DEFAULT} eq "quiet splash=silent" &&
-     -r $sysconfbl) {
-  open( IN, "< $sysconfbl") ||  die;
-  while ( <IN> ) {
-    next if ( m{^\s*#} );
-    if ( m{^DEFAULT_APPEND=".*"(?:\s*|\s+#.*)$} ) {
-      $C{GRUB_CMDLINE_LINUX_DEFAULT} = $1;
-    }
-  }
-  close( IN);
+     exists( $SBL{DEFAULT_APPEND}) ) {
+  $C{GRUB_CMDLINE_LINUX_DEFAULT} = $SBL{DEFAULT_APPEND};
 }
 
 if ( ! exists( $C{GRUB_DEVICE})) {
   Panic( 0, "$C: Default not ready and no fallback.  Please retry later!\n");
 }
 
+if ( !exists( $C{SUSE_SECURE_BOOT}) ) {
+  $C{SUSE_SECURE_BOOT} = "0";
+  if ( exists( $SBL{SECURE_BOOT}) && $SBL{SECURE_BOOT} =~ m{^(yes|true|1)$} ) {
+    $C{SUSE_SECURE_BOOT} = "1";
+  }
+}
+
 if ( ! exists( $C{GRUB_EMU_CONMODE}) && exists( $C{GRUB_CONMODE}) ) {
   # GRUB_CONMODE is used for 'grub2-emu' as well
   $C{GRUB_EMU_CONMODE} = $C{GRUB_CONMODE};
@@ -360,6 +370,9 @@ if ( $debug && $verbose > 2 ) {
   foreach ( sort( keys( %C)) ) {
     printf( "%s=\"%s\"\n", $_, $C{$_});
   }
+  foreach ( sort( keys( %SBL)) ) {
+    printf( "SBL: %s=\"%s\"\n", $_, $SBL{$_});
+  }
 }
 
 open( IN, "< $in") ||

commit grub2 for openSUSE:Leap:15.2

Reply via email to