From 6160bcdff98b660191b5c78ab698827e30c5362f Mon Sep 17 00:00:00 2001 From: Carl George Date: Nov 08 2021 06:23:12 +0000 Subject: CentOS debranding and secureboot --- diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der new file mode 100644 index 0000000..44a2563 Binary files /dev/null and b/SOURCES/centos-ca-secureboot.der differ diff --git a/SOURCES/centossecureboot001.der b/SOURCES/centossecureboot001.der new file mode 100644 index 0000000..e8216b1 Binary files /dev/null and b/SOURCES/centossecureboot001.der differ diff --git a/SOURCES/centossecureboot202.der b/SOURCES/centossecureboot202.der new file mode 100644 index 0000000..ab8213c Binary files /dev/null and b/SOURCES/centossecureboot202.der differ diff --git a/SOURCES/centossecurebootca2.der b/SOURCES/centossecurebootca2.der new file mode 100644 index 0000000..42bdfcf Binary files /dev/null and b/SOURCES/centossecurebootca2.der differ diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros index 2eb014a..00cacce 100644 --- a/SOURCES/grub.macros +++ b/SOURCES/grub.macros @@ -114,16 +114,10 @@ %global efi_modules " efi_netfs efifwsetup efinet lsefi lsefimmap " %endif -%ifarch x86_64 %{ix86} -%global platform_modules " backtrace chain usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard " -%endif - -%ifarch ppc64le -%global platform_modules " appendedsig " -%endif - %ifarch aarch64 %{arm} %global platform_modules " " +%else +%global platform_modules " backtrace chain usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard " %endif @@ -417,34 +411,6 @@ done \ %{nil} %endif -%ifarch ppc64le -%define ieee1275_mkimage() \ -APPENDED_SIG_SIZE=0 \ -if [ -x /usr/bin/rpm-sign ]; then \ - touch empty.unsigned \ - rpm-sign --key %{5} \\\ - --lkmsign empty.unsigned \\\ - --output empty.signed \ - APPENDED_SIG_SIZE="$(stat -c '%s' empty.signed)" \ - rm empty.{un,}signed \ -fi \ -# FIXME: using this prefix is fragile, must be done properly \ -./grub-mkimage -O %{1} -o %{2}.orig \\\ - -p '/grub2' -d grub-core \\\ - -x %{3} -x %{4} \\\ - --appended-signature-size ${APPENDED_SIG_SIZE} \\\ - ${GRUB_MODULES} \ -if [ -x /usr/bin/rpm-sign ]; then \ - truncate -s -${APPENDED_SIG_SIZE} %{2}.orig \ - rpm-sign --key %{5} \\\ - --lkmsign %{2}.orig \\\ - --output %{2} \ -else \ - mv %{2}.orig %{2} \ -fi \ -%{nil} -%endif - %define do_efi_build_images() \ GRUB_MODULES+=%{grub_modules} \ GRUB_MODULES+=%{efi_modules} \ @@ -452,14 +418,6 @@ GRUB_MODULES+=%{platform_modules} \ %{expand:%%{efi_mkimage %{1} %{2} %{3} %{4} %{5} %{6} %{7} %{8} %{9} %{10}}} \ %{nil} -%define do_ieee1275_build_images() \ -GRUB_MODULES+=%{grub_modules} \ -GRUB_MODULES+=%{platform_modules} \ -cd grub-%{1}-%{tarversion} \ -%{expand:%%ieee1275_mkimage %%{1} %%{2} %%{3} %%{4} %%{5}} \ -cd .. \ -%{nil} - %define do_primary_efi_build() \ cd grub-%{1}-%{tarversion} \ %{expand:%%do_efi_configure %%{4} %%{5} %%{6}} \ @@ -554,9 +512,6 @@ fi \ if [ -f $RPM_BUILD_ROOT%{_infodir}/grub-dev.info ]; then \ rm -f $RPM_BUILD_ROOT%{_infodir}/grub-dev.info \ fi \ -%{expand:%ifarch ppc64le \ - install -m 700 %{grubelfname} $RPM_BUILD_ROOT/%{_libdir}/grub/%{1} \ -%endif} \ ln -s ../boot/%{name}/grub.cfg \\\ ${RPM_BUILD_ROOT}%{_sysconfdir}/grub2.cfg \ if [ -f $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/grub2.chrp ]; then \ @@ -598,19 +553,12 @@ touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg \ %config(noreplace) %{_sysconfdir}/%{name}.cfg \ %ghost %config(noreplace) /boot/%{name}/grub.cfg \ %dir %attr(0700,root,root)/boot/loader/entries \ -%ifarch ppc64le \ -%dir %{_libdir}/grub/%{2}/ \ -%{_libdir}/grub/%{2}/%{grubelfname} \ -%endif \ \ %{expand:%if 0%{?with_legacy_modules} \ %{expand:%%files %{1}-modules} \ %defattr(-,root,root) \ %dir %{_libdir}/grub/%{2}/ \ %{_libdir}/grub/%{2}/* \ -%ifarch ppc64le \ -%exclude %{_libdir}/grub/%{2}/%{grubelfname} \ -%endif \ %exclude %{_libdir}/grub/%{2}/*.module \ %exclude %{_libdir}/grub/%{2}/{boot,boot_hybrid,cdboot,diskboot,lzma_decompress,pxeboot}.image \ %exclude %{_libdir}/grub/%{2}/*.o \ diff --git a/SOURCES/redhatsecureboot301.cer b/SOURCES/redhatsecureboot301.cer deleted file mode 100644 index 4ff8b79..0000000 Binary files a/SOURCES/redhatsecureboot301.cer and /dev/null differ diff --git a/SOURCES/redhatsecureboot303.cer b/SOURCES/redhatsecureboot303.cer deleted file mode 100644 index 2c0087d..0000000 Binary files a/SOURCES/redhatsecureboot303.cer and /dev/null differ diff --git a/SOURCES/redhatsecureboot502.cer b/SOURCES/redhatsecureboot502.cer deleted file mode 100644 index be0b5e2..0000000 Binary files a/SOURCES/redhatsecureboot502.cer and /dev/null differ diff --git a/SOURCES/redhatsecureboot601.cer b/SOURCES/redhatsecureboot601.cer deleted file mode 100644 index c92b96b..0000000 Binary files a/SOURCES/redhatsecureboot601.cer and /dev/null differ diff --git a/SOURCES/redhatsecurebootca3.cer b/SOURCES/redhatsecurebootca3.cer deleted file mode 100644 index b235400..0000000 Binary files a/SOURCES/redhatsecurebootca3.cer and /dev/null differ diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer deleted file mode 100644 index dfb0284..0000000 Binary files a/SOURCES/redhatsecurebootca5.cer and /dev/null differ diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec index 1a88aa6..dceb10e 100644 --- a/SPECS/grub2.spec +++ b/SPECS/grub2.spec @@ -24,12 +24,10 @@ Source6: gitignore Source8: strtoull_test.c Source9: 20-grub.install Source12: 99-grub-mkconfig.install -Source13: redhatsecurebootca3.cer -Source14: redhatsecureboot301.cer -Source15: redhatsecurebootca5.cer -Source16: redhatsecureboot502.cer -Source17: redhatsecureboot303.cer -Source18: redhatsecureboot601.cer +Source13: centos-ca-secureboot.der +Source14: centossecureboot001.der +Source15: centossecurebootca2.der +Source16: centossecureboot202.der Source19: sbat.csv.in %include %{SOURCE1} @@ -37,16 +35,10 @@ Source19: sbat.csv.in %if 0%{with_efi_arch} %define old_sb_ca %{SOURCE13} %define old_sb_cer %{SOURCE14} -%define old_sb_key redhatsecureboot301 +%define old_sb_key centossecureboot001 %define sb_ca %{SOURCE15} %define sb_cer %{SOURCE16} -%define sb_key redhatsecureboot502 -%endif - -%ifarch ppc64le -%define old_sb_cer %{SOURCE17} -%define sb_cer %{SOURCE18} -%define sb_key redhatsecureboot602 +%define sb_key centossecureboot202 %endif # generate with do-rebase @@ -72,7 +64,7 @@ BuildRequires: pesign >= 0.99-8 BuildRequires: ccache %endif -ExcludeArch: s390 s390x %{arm} +ExcludeArch: s390 s390x Obsoletes: %{name} <= %{evr} %if 0%{with_legacy_arch} @@ -81,6 +73,10 @@ Requires: %{name}-%{legacy_package_arch} = %{evr} Requires: %{name}-%{package_arch} = %{evr} %endif +%if 0%{?centos} +%global efidir centos +%endif + %global desc \ The GRand Unified Bootloader (GRUB) is a highly configurable and \ customizable bootloader with modular architecture. It supports a rich \ @@ -194,9 +190,6 @@ git commit -m "After making subdirs" %if 0%{with_legacy_arch} %{expand:%do_legacy_build %%{grublegacyarch}} %endif -%ifarch ppc64le -%{expand:%do_ieee1275_build_images %%{grublegacyarch} %{grubelfname} %{old_sb_cer} %{sb_cer} %{sb_key}} -%endif makeinfo --info --no-split -I docs -o docs/grub-dev.info \ docs/grub-dev.texi makeinfo --info --no-split -I docs -o docs/grub.info \