From 1b87db1be83e284fb5c502b29dba9de72d0c6c5fdcaf215baa5d6e18bcc8723d Mon Sep 17 00:00:00 2001
From: Dominique Leuenberger <dleuenberger@suse.com>
Date: Fri, 28 Aug 2020 19:18:51 +0000
Subject: [PATCH] Accepting request 830141 from Base:System

OBS-URL: https://build.opensuse.org/request/show/830141
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=226
---
 ...-check-to-enable-btrfs-relative-path.patch | 156 ++++++++++++++++++
 ...e-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch |  41 +++++
 grub2.changes                                 |  13 ++
 grub2.spec                                    |   4 +
 4 files changed, 214 insertions(+)
 create mode 100644 0001-Unify-the-check-to-enable-btrfs-relative-path.patch
 create mode 100644 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch

diff --git a/0001-Unify-the-check-to-enable-btrfs-relative-path.patch b/0001-Unify-the-check-to-enable-btrfs-relative-path.patch
new file mode 100644
index 0000000..c12850d
--- /dev/null
+++ b/0001-Unify-the-check-to-enable-btrfs-relative-path.patch
@@ -0,0 +1,156 @@
+From 80bb1b17b3f596dbd7331cf9cb20a46c8ef9800b Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Sat, 22 Aug 2020 02:32:43 +0800
+Subject: [PATCH] Unify the check to enable btrfs relative path
+
+This unified the test in grub-install and grub-mkconfig that the path to
+default or selected btrfs subvolume/snapshot is used if the root file
+system is btrfs and the config has enabled btrfs snapshot booting.
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+---
+ util/grub-install.c       | 67 +++++++++++++++++++++++++++------------
+ util/grub-mkconfig_lib.in |  3 +-
+ 2 files changed, 48 insertions(+), 22 deletions(-)
+
+diff --git a/util/grub-install.c b/util/grub-install.c
+index 746a42a04..8d18f2530 100644
+--- a/util/grub-install.c
++++ b/util/grub-install.c
+@@ -870,6 +870,7 @@ main (int argc, char *argv[])
+   const char *efi_file = NULL;
+   char **grub_devices;
+   grub_fs_t grub_fs;
++  grub_fs_t root_fs;
+   grub_device_t grub_dev = NULL;
+   enum grub_install_plat platform;
+   char *grubdir, *device_map;
+@@ -882,6 +883,8 @@ main (int argc, char *argv[])
+   int efidir_is_mac = 0;
+   int is_prep = 0;
+   const char *pkgdatadir;
++  char *rootdir_path;
++  char **rootdir_devices;
+ 
+   grub_util_host_init (&argc, &argv);
+   product_version = xstrdup (PACKAGE_VERSION);
+@@ -895,9 +898,6 @@ main (int argc, char *argv[])
+ 
+   grub_util_load_config (&config);
+ 
+-  if (config.is_suse_btrfs_snapshot_enabled)
+-    use_relative_path_on_btrfs = 1;
+-
+   if (!bootloader_id && config.grub_distributor)
+     {
+       char *ptr;
+@@ -1046,6 +1046,45 @@ main (int argc, char *argv[])
+   grub_hostfs_init ();
+   grub_host_init ();
+ 
++  {
++    char *rootdir_grub_devname;
++    grub_device_t rootdir_grub_dev;
++    char *t = grub_util_path_concat (2, "/", rootdir);
++
++    rootdir_path = grub_canonicalize_file_name (t);
++    if (!rootdir_path)
++      grub_util_error (_("failed to get canonical path of `%s'"), t);
++
++    rootdir_devices = grub_guess_root_devices (rootdir_path);
++    if (!rootdir_devices || !rootdir_devices[0])
++      grub_util_error (_("cannot find a device for %s (is /dev mounted?)"),
++		      rootdir_path);
++
++    for (curdev = rootdir_devices; *curdev; curdev++)
++	grub_util_pull_device (*curdev);
++
++    rootdir_grub_devname = grub_util_get_grub_dev (rootdir_devices[0]);
++    if (!rootdir_grub_devname)
++      grub_util_error (_("cannot find a GRUB drive for %s.  Check your device.map"),
++		       rootdir_devices[0]);
++
++    rootdir_grub_dev = grub_device_open (rootdir_grub_devname);
++    if (! rootdir_grub_dev)
++      grub_util_error ("%s", grub_errmsg);
++
++    root_fs = grub_fs_probe (rootdir_grub_dev);
++    if (!root_fs)
++      grub_util_error ("%s", grub_errmsg);
++
++    if (config.is_suse_btrfs_snapshot_enabled
++	&& grub_strncmp(root_fs->name, "btrfs", sizeof ("btrfs") - 1) == 0)
++      use_relative_path_on_btrfs = 1;
++
++    free (t);
++    free (rootdir_grub_devname);
++    grub_device_close (rootdir_grub_dev);
++  }
++
+   switch (platform)
+     {
+     case GRUB_INSTALL_PLATFORM_I386_EFI:
+@@ -1410,8 +1449,7 @@ main (int argc, char *argv[])
+ 	      debug_image);
+     }
+ 
+-  if (config.is_suse_btrfs_snapshot_enabled
+-      && grub_strncmp(grub_fs->name, "btrfs", sizeof ("btrfs") - 1) == 0)
++  if (use_relative_path_on_btrfs)
+     {
+       if (!load_cfg_f)
+         load_cfg_f = grub_util_fopen (load_cfg, "wb");
+@@ -1624,21 +1662,13 @@ main (int argc, char *argv[])
+ 
+ #ifdef __linux__
+ 
+-  if (config.is_suse_btrfs_snapshot_enabled
+-      && grub_strncmp(grub_fs->name, "btrfs", sizeof ("btrfs") - 1) == 0)
++  if (use_relative_path_on_btrfs)
+     {
+       char *subvol = NULL;
+       char *mount_path = NULL;
+-      char **rootdir_devices = NULL;
+-      char *t = grub_util_path_concat (2, "/", rootdir);
+-      char *rootdir_path = grub_canonicalize_file_name (t);
+-
+-      if (rootdir_path && grub_util_is_directory (rootdir_path))
+-	rootdir_devices = grub_guess_root_devices (rootdir_path);
+ 
+-      if (rootdir_devices && rootdir_devices[0])
+-	if (grub_strcmp (rootdir_devices[0], grub_devices[0]) == 0)
+-	  subvol = grub_util_get_btrfs_subvol (platdir, &mount_path);
++      if (grub_strcmp (rootdir_devices[0], grub_devices[0]) == 0)
++	subvol = grub_util_get_btrfs_subvol (platdir, &mount_path);
+ 
+       if (subvol && mount_path)
+ 	{
+@@ -1663,11 +1693,6 @@ main (int argc, char *argv[])
+ 	    }
+ 	}
+ 
+-      free (t);
+-      free (rootdir_path);
+-      for (curdev = rootdir_devices; *curdev; curdev++)
+-	free (*curdev);
+-      free (rootdir_devices);
+       free (subvol);
+       free (mount_path);
+     }
+diff --git a/util/grub-mkconfig_lib.in b/util/grub-mkconfig_lib.in
+index 023f54a2d..eab46773b 100644
+--- a/util/grub-mkconfig_lib.in
++++ b/util/grub-mkconfig_lib.in
+@@ -49,7 +49,8 @@ grub_warn ()
+ 
+ make_system_path_relative_to_its_root ()
+ {
+-  if [ "x${SUSE_BTRFS_SNAPSHOT_BOOTING}" = "xtrue" ] ; then
++  if [ "x${SUSE_BTRFS_SNAPSHOT_BOOTING}" = "xtrue" ] &&
++     [ "x${GRUB_FS}" = "xbtrfs" ] ; then
+   "${grub_mkrelpath}" -r "$1"
+   else
+   "${grub_mkrelpath}" "$1"
+-- 
+2.28.0
+
diff --git a/0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch b/0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch
new file mode 100644
index 0000000..f1c6f2e
--- /dev/null
+++ b/0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch
@@ -0,0 +1,41 @@
+From a60cfeacdeefb21215d35c4cad025e57de900352 Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Thu, 27 Aug 2020 13:18:25 +0800
+Subject: [PATCH] shim_lock: Disable GRUB_VERIFY_FLAGS_DEFER_AUTH if secure
+ boot off
+
+The GRUB_VERIFY_FLAGS_DEFER_AUTH is enabled regardless secure boot
+status that will cause error [1] on loading external grub modules if
+secure boot turned off in which shim protocol itself did not verify
+images so should not request verification for external modules either.
+
+This patch fixed the problem by adding the secure boot status check
+before requesting other verifiers to verify external module, therefore
+external module loading can work after shim_lock module loaded and
+secure boot turned off.
+
+[1] error: verification requested but nobody cares:
+(hd0,gpt10)/boot/grub2/x86_64-efi/linux.mod.
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+---
+ grub-core/commands/efi/shim_lock.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/commands/efi/shim_lock.c b/grub-core/commands/efi/shim_lock.c
+index 764098cfc..18d121297 100644
+--- a/grub-core/commands/efi/shim_lock.c
++++ b/grub-core/commands/efi/shim_lock.c
+@@ -82,7 +82,8 @@ shim_lock_init (grub_file_t io, enum grub_file_type type,
+ 
+     case GRUB_FILE_TYPE_ACPI_TABLE:
+     case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
+-      *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
++      if (grub_efi_secure_boot())
++	*flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
+ 
+       return GRUB_ERR_NONE;
+ 
+-- 
+2.26.2
+
diff --git a/grub2.changes b/grub2.changes
index 5019eb6..ac000af 100644
--- a/grub2.changes
+++ b/grub2.changes
@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Thu Aug 27 06:58:37 UTC 2020 - Michael Chang <mchang@suse.com>
+
+- Fix verification requested but nobody cares error when loading external
+  module in secure boot off (bsc#1175766)
+  * 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch
+
+-------------------------------------------------------------------
+Sat Aug 22 02:41:49 UTC 2020 - Michael Chang <mchang@suse.com>
+
+- Make consistent check to enable relative path on btrfs (bsc#1174567)
+  * 0001-Unify-the-check-to-enable-btrfs-relative-path.patch
+
 -------------------------------------------------------------------
 Fri Aug 21 04:40:48 UTC 2020 - Michael Chang <mchang@suse.com>
 
diff --git a/grub2.spec b/grub2.spec
index 59a21ea..4a8e020 100644
--- a/grub2.spec
+++ b/grub2.spec
@@ -329,6 +329,8 @@ Patch716:       0002-cmdline-Provide-cmdline-functions-as-module.patch
 # takes 45 minutes after grub to start loading kernel
 Patch717:       0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch
 Patch718:       0002-ieee1275-powerpc-enables-device-mapper-discovery.patch
+Patch719:       0001-Unify-the-check-to-enable-btrfs-relative-path.patch
+Patch720:       0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch
 
 Requires:       gettext-runtime
 %if 0%{?suse_version} >= 1140
@@ -649,6 +651,8 @@ swap partition while in resuming
 %patch716 -p1
 %patch717 -p1
 %patch718 -p1
+%patch719 -p1
+%patch720 -p1
 
 %build
 # collect evidence to debug spurious build failure on SLE15