Hello community, here is the log from the commit of package grub2 for openSUSE:Factory checked in at 2020-08-28 21:18:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/grub2 (Old) and /work/SRC/openSUSE:Factory/.grub2.new.3399 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grub2" Fri Aug 28 21:18:51 2020 rev:226 rq:830141 version:2.04 Changes: -------- --- /work/SRC/openSUSE:Factory/grub2/grub2.changes 2020-08-23 09:21:21.278690946 +0200 +++ /work/SRC/openSUSE:Factory/.grub2.new.3399/grub2.changes 2020-08-28 21:21:07.508317327 +0200 @@ -1,0 +2,13 @@ +Thu Aug 27 06:58:37 UTC 2020 - Michael Chang <[email protected]> + +- Fix verification requested but nobody cares error when loading external + module in secure boot off (bsc#1175766) + * 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch + +------------------------------------------------------------------- +Sat Aug 22 02:41:49 UTC 2020 - Michael Chang <[email protected]> + +- Make consistent check to enable relative path on btrfs (bsc#1174567) + * 0001-Unify-the-check-to-enable-btrfs-relative-path.patch + +------------------------------------------------------------------- New: ---- 0001-Unify-the-check-to-enable-btrfs-relative-path.patch 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ grub2.spec ++++++ --- /var/tmp/diff_new_pack.7pPVQU/_old 2020-08-28 21:21:09.680318381 +0200 +++ /var/tmp/diff_new_pack.7pPVQU/_new 2020-08-28 21:21:09.684318383 +0200 @@ -329,6 +329,8 @@ # takes 45 minutes after grub to start loading kernel Patch717: 0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch Patch718: 0002-ieee1275-powerpc-enables-device-mapper-discovery.patch +Patch719: 0001-Unify-the-check-to-enable-btrfs-relative-path.patch +Patch720: 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch Requires: gettext-runtime %if 0%{?suse_version} >= 1140 @@ -649,6 +651,8 @@ %patch716 -p1 %patch717 -p1 %patch718 -p1 +%patch719 -p1 +%patch720 -p1 %build # collect evidence to debug spurious build failure on SLE15 ++++++ 0001-Unify-the-check-to-enable-btrfs-relative-path.patch ++++++ >From 80bb1b17b3f596dbd7331cf9cb20a46c8ef9800b Mon Sep 17 00:00:00 2001 From: Michael Chang <[email protected]> Date: Sat, 22 Aug 2020 02:32:43 +0800 Subject: [PATCH] Unify the check to enable btrfs relative path This unified the test in grub-install and grub-mkconfig that the path to default or selected btrfs subvolume/snapshot is used if the root file system is btrfs and the config has enabled btrfs snapshot booting. Signed-off-by: Michael Chang <[email protected]> --- util/grub-install.c | 67 +++++++++++++++++++++++++++------------ util/grub-mkconfig_lib.in | 3 +- 2 files changed, 48 insertions(+), 22 deletions(-) diff --git a/util/grub-install.c b/util/grub-install.c index 746a42a04..8d18f2530 100644 --- a/util/grub-install.c +++ b/util/grub-install.c @@ -870,6 +870,7 @@ main (int argc, char *argv[]) const char *efi_file = NULL; char **grub_devices; grub_fs_t grub_fs; + grub_fs_t root_fs; grub_device_t grub_dev = NULL; enum grub_install_plat platform; char *grubdir, *device_map; @@ -882,6 +883,8 @@ main (int argc, char *argv[]) int efidir_is_mac = 0; int is_prep = 0; const char *pkgdatadir; + char *rootdir_path; + char **rootdir_devices; grub_util_host_init (&argc, &argv); product_version = xstrdup (PACKAGE_VERSION); @@ -895,9 +898,6 @@ main (int argc, char *argv[]) grub_util_load_config (&config); - if (config.is_suse_btrfs_snapshot_enabled) - use_relative_path_on_btrfs = 1; - if (!bootloader_id && config.grub_distributor) { char *ptr; @@ -1046,6 +1046,45 @@ main (int argc, char *argv[]) grub_hostfs_init (); grub_host_init (); + { + char *rootdir_grub_devname; + grub_device_t rootdir_grub_dev; + char *t = grub_util_path_concat (2, "/", rootdir); + + rootdir_path = grub_canonicalize_file_name (t); + if (!rootdir_path) + grub_util_error (_("failed to get canonical path of `%s'"), t); + + rootdir_devices = grub_guess_root_devices (rootdir_path); + if (!rootdir_devices || !rootdir_devices[0]) + grub_util_error (_("cannot find a device for %s (is /dev mounted?)"), + rootdir_path); + + for (curdev = rootdir_devices; *curdev; curdev++) + grub_util_pull_device (*curdev); + + rootdir_grub_devname = grub_util_get_grub_dev (rootdir_devices[0]); + if (!rootdir_grub_devname) + grub_util_error (_("cannot find a GRUB drive for %s. Check your device.map"), + rootdir_devices[0]); + + rootdir_grub_dev = grub_device_open (rootdir_grub_devname); + if (! rootdir_grub_dev) + grub_util_error ("%s", grub_errmsg); + + root_fs = grub_fs_probe (rootdir_grub_dev); + if (!root_fs) + grub_util_error ("%s", grub_errmsg); + + if (config.is_suse_btrfs_snapshot_enabled + && grub_strncmp(root_fs->name, "btrfs", sizeof ("btrfs") - 1) == 0) + use_relative_path_on_btrfs = 1; + + free (t); + free (rootdir_grub_devname); + grub_device_close (rootdir_grub_dev); + } + switch (platform) { case GRUB_INSTALL_PLATFORM_I386_EFI: @@ -1410,8 +1449,7 @@ main (int argc, char *argv[]) debug_image); } - if (config.is_suse_btrfs_snapshot_enabled - && grub_strncmp(grub_fs->name, "btrfs", sizeof ("btrfs") - 1) == 0) + if (use_relative_path_on_btrfs) { if (!load_cfg_f) load_cfg_f = grub_util_fopen (load_cfg, "wb"); @@ -1624,21 +1662,13 @@ main (int argc, char *argv[]) #ifdef __linux__ - if (config.is_suse_btrfs_snapshot_enabled - && grub_strncmp(grub_fs->name, "btrfs", sizeof ("btrfs") - 1) == 0) + if (use_relative_path_on_btrfs) { char *subvol = NULL; char *mount_path = NULL; - char **rootdir_devices = NULL; - char *t = grub_util_path_concat (2, "/", rootdir); - char *rootdir_path = grub_canonicalize_file_name (t); - - if (rootdir_path && grub_util_is_directory (rootdir_path)) - rootdir_devices = grub_guess_root_devices (rootdir_path); - if (rootdir_devices && rootdir_devices[0]) - if (grub_strcmp (rootdir_devices[0], grub_devices[0]) == 0) - subvol = grub_util_get_btrfs_subvol (platdir, &mount_path); + if (grub_strcmp (rootdir_devices[0], grub_devices[0]) == 0) + subvol = grub_util_get_btrfs_subvol (platdir, &mount_path); if (subvol && mount_path) { @@ -1663,11 +1693,6 @@ main (int argc, char *argv[]) } } - free (t); - free (rootdir_path); - for (curdev = rootdir_devices; *curdev; curdev++) - free (*curdev); - free (rootdir_devices); free (subvol); free (mount_path); } diff --git a/util/grub-mkconfig_lib.in b/util/grub-mkconfig_lib.in index 023f54a2d..eab46773b 100644 --- a/util/grub-mkconfig_lib.in +++ b/util/grub-mkconfig_lib.in @@ -49,7 +49,8 @@ grub_warn () make_system_path_relative_to_its_root () { - if [ "x${SUSE_BTRFS_SNAPSHOT_BOOTING}" = "xtrue" ] ; then + if [ "x${SUSE_BTRFS_SNAPSHOT_BOOTING}" = "xtrue" ] && + [ "x${GRUB_FS}" = "xbtrfs" ] ; then "${grub_mkrelpath}" -r "$1" else "${grub_mkrelpath}" "$1" -- 2.28.0 ++++++ 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch ++++++ >From a60cfeacdeefb21215d35c4cad025e57de900352 Mon Sep 17 00:00:00 2001 From: Michael Chang <[email protected]> Date: Thu, 27 Aug 2020 13:18:25 +0800 Subject: [PATCH] shim_lock: Disable GRUB_VERIFY_FLAGS_DEFER_AUTH if secure boot off The GRUB_VERIFY_FLAGS_DEFER_AUTH is enabled regardless secure boot status that will cause error [1] on loading external grub modules if secure boot turned off in which shim protocol itself did not verify images so should not request verification for external modules either. This patch fixed the problem by adding the secure boot status check before requesting other verifiers to verify external module, therefore external module loading can work after shim_lock module loaded and secure boot turned off. [1] error: verification requested but nobody cares: (hd0,gpt10)/boot/grub2/x86_64-efi/linux.mod. Signed-off-by: Michael Chang <[email protected]> --- grub-core/commands/efi/shim_lock.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/grub-core/commands/efi/shim_lock.c b/grub-core/commands/efi/shim_lock.c index 764098cfc..18d121297 100644 --- a/grub-core/commands/efi/shim_lock.c +++ b/grub-core/commands/efi/shim_lock.c @@ -82,7 +82,8 @@ shim_lock_init (grub_file_t io, enum grub_file_type type, case GRUB_FILE_TYPE_ACPI_TABLE: case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE: - *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH; + if (grub_efi_secure_boot()) + *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH; return GRUB_ERR_NONE; -- 2.26.2
