From f2623d53c733370dbff87cd4ad70256dbd321d7d62419e268745f0a1d5b3f11f Mon Sep 17 00:00:00 2001
From: Dominique Leuenberger <dleuenberger@suse.com>
Date: Tue, 23 Feb 2021 19:18:02 +0000
Subject: [PATCH] Accepting request 874453 from Base:System

OBS-URL: https://build.opensuse.org/request/show/874453
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=233
---
 0001-Fix-build-error-in-binutils-2.36.patch | 47 +++++++++++++
 0001-emu-fix-executable-stack-marking.patch | 73 +++++++++++++++++++++
 grub2.changes                               | 16 +++++
 grub2.rpmlintrc                             |  3 +-
 grub2.spec                                  | 36 ++++++++--
 5 files changed, 169 insertions(+), 6 deletions(-)
 create mode 100644 0001-Fix-build-error-in-binutils-2.36.patch
 create mode 100644 0001-emu-fix-executable-stack-marking.patch

diff --git a/0001-Fix-build-error-in-binutils-2.36.patch b/0001-Fix-build-error-in-binutils-2.36.patch
new file mode 100644
index 0000000..43a19aa
--- /dev/null
+++ b/0001-Fix-build-error-in-binutils-2.36.patch
@@ -0,0 +1,47 @@
+From 7801d671905329d28e789082225570fc54fe5784 Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Fri, 19 Feb 2021 17:40:43 +0800
+Subject: [PATCH] Fix build error in binutils 2.36
+
+The build fails in binutils 2.36
+
+[  520s] cat kernel_syms.lst > syminfo.lst.new
+[  520s] /usr/lib64/gcc/x86_64-suse-linux/10/../../../../x86_64-suse-linux/bin/ld: section .note.gnu.property VMA [0000000000400158,0000000000400187] overlaps section .bss VMA [000000000000f000,000000000041e1af]
+
+It is caused by assembler now generates the GNU property notes section
+by default. Use the assmbler option -mx86-used-note=no to disable the
+section from being generated to workaround the ensuing linker issue.
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+---
+ configure.ac | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index c39e8379f..a3fb713ad 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -827,6 +827,20 @@ if ( test "x$target_cpu" = xi386 || test "x$target_cpu" = xx86_64 ) && test "x$p
+   TARGET_CFLAGS="$TARGET_CFLAGS -mno-mmx -mno-sse -mno-sse2 -mno-sse3 -mno-3dnow"
+ fi
+ 
++if ( test "x$target_cpu" = xi386 || test "x$target_cpu" = xx86_64 ); then
++  AC_CACHE_CHECK([whether -Wa,-mx86-used-note works], [grub_cv_cc_mx86_used_note], [
++    CFLAGS="$TARGET_CFLAGS -Wa,-mx86-used-note=no -Werror"
++    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
++	[grub_cv_cc_mx86_used_note=yes],
++	[grub_cv_cc_mx86_used_note=no])
++  ])
++
++  if test "x$grub_cv_cc_mx86_used_note" = xyes; then
++    TARGET_CFLAGS="$TARGET_CFLAGS -Wa,-mx86-used-note=no"
++    TARGET_CCASFLAGS="$TARGET_CCASFLAGS -Wa,-mx86-used-note=no"
++  fi
++fi
++
+ # GRUB doesn't use float or doubles at all. Yet some toolchains may decide
+ # that floats are a good fit to run instead of what's written in the code.
+ # Given that floating point unit is disabled (if present to begin with)
+-- 
+2.30.0
+
diff --git a/0001-emu-fix-executable-stack-marking.patch b/0001-emu-fix-executable-stack-marking.patch
new file mode 100644
index 0000000..c9c2954
--- /dev/null
+++ b/0001-emu-fix-executable-stack-marking.patch
@@ -0,0 +1,73 @@
+From 4cc06bef26c3573309086bec4472cc9151b0379e Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Mon, 1 Feb 2021 20:14:12 +0800
+Subject: [PATCH] emu: fix executable stack marking
+
+The gcc by default assumes executable stack is required if the source
+object file doesn't have .note.GNU-stack section in place. If any of the
+source objects doesn't incorporate the GNU-stack note, the resulting
+program will have executable stack flag set in PT_GNU_STACK program
+header to instruct program loader or kernel to set up the exeutable
+stack when program loads to memory.
+
+Usually the .note.GNU-stack section will be generated by gcc
+automatically if it finds that executable stack is not required. However
+it doesn't take care of generating .note.GNU-stack section for those
+object files built from assembler sources. This leads to unnecessary
+risk of security of exploiting the executable stack because those
+assembler sources don't actually require stack to be executable to work.
+
+The grub-emu and grub-emu-lite are found to flag stack as executable
+revealed by execstack tool.
+
+ $ mkdir -p build-emu && cd build-emu
+ $ ../configure --with-platform=emu && make
+ $ execstack -q grub-core/grub-emu grub-core/grub-emu-lite
+ X grub-core/grub-emu
+ X grub-core/grub-emu-lite
+
+This patch will add the missing GNU-stack note to the assembler source
+used by both utilities, therefore the result doesn't count on gcc
+default behavior and the executable stack is disabled.
+
+ $ execstack -q grub-core/grub-emu grub-core/grub-emu-lite
+ - grub-core/grub-emu
+ - grub-core/grub-emu-lite
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+---
+ grub-core/kern/emu/cache_s.S | 5 +++++
+ grub-core/lib/setjmp.S       | 4 ++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/grub-core/kern/emu/cache_s.S b/grub-core/kern/emu/cache_s.S
+index 7bb1e1441..fca85c69e 100644
+--- a/grub-core/kern/emu/cache_s.S
++++ b/grub-core/kern/emu/cache_s.S
+@@ -2,6 +2,11 @@
+ #error "This source is only meant for grub-emu platform"
+ #endif
+ 
++/* An executable stack is not required for these functions */
++#if defined (__linux__) && defined (__ELF__)
++.section .note.GNU-stack,"",@progbits
++#endif
++
+ #if defined(__i386__) || defined(__x86_64__)
+ /* Nothing is necessary.  */
+ #elif defined(__sparc__)
+diff --git a/grub-core/lib/setjmp.S b/grub-core/lib/setjmp.S
+index a37467760..16f676368 100644
+--- a/grub-core/lib/setjmp.S
++++ b/grub-core/lib/setjmp.S
+@@ -1,3 +1,7 @@
++/* An executable stack is not required for these functions */
++#if defined (__linux__) && defined (__ELF__)
++.section .note.GNU-stack,"",@progbits
++#endif
+ #if defined(__i386__)
+ #include "./i386/setjmp.S"
+ #elif defined(__x86_64__)
+-- 
+2.30.0
+
diff --git a/grub2.changes b/grub2.changes
index 4fdf0b4..d801dd1 100644
--- a/grub2.changes
+++ b/grub2.changes
@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Mon Feb 22 12:49:48 UTC 2021 - Michael Chang <mchang@suse.com>
+
+- Fix build error in binutils 2.36 (bsc#1181741)
+  * 0001-Fix-build-error-in-binutils-2.36.patch
+- Fix executable stack in grub-emu (bsc#1181696)
+  * 0001-emu-fix-executable-stack-marking.patch
+
+-------------------------------------------------------------------
+Thu Feb 18 05:21:29 UTC 2021 - Michael Chang <mchang@suse.com>
+
+- Restore compatibilty sym-links
+  * grub2.spec
+- Use rpmlintrc to filter out rpmlint 2.0 error (bsc#1179044)
+  * grub2.rpmlintrc
+
 -------------------------------------------------------------------
 Wed Jan 27 04:13:32 UTC 2021 - Michael Chang <mchang@suse.com>
 
diff --git a/grub2.rpmlintrc b/grub2.rpmlintrc
index 5bf2298..23c9652 100644
--- a/grub2.rpmlintrc
+++ b/grub2.rpmlintrc
@@ -7,7 +7,8 @@ addFilter("statically-linked-binary .*/grub2/*/kernel.img")
 addFilter("unstripped-binary-or-object .*/grub2/*/.*.mod")
 # TODO: s390 Experts: is this sensible?!
 addFilter("s390x: W: executable-stack")
-#
+# We need to provide compatibility sym-links in noarch package
 addFilter("suse-filelist-forbidden-noarch")
+addFilter("filelist-forbidden-noarch")
 #
 addFilter('arch-independent-package-contains-binary-or-object')
diff --git a/grub2.spec b/grub2.spec
index bbc9597..f9bd1b4 100644
--- a/grub2.spec
+++ b/grub2.spec
@@ -346,6 +346,8 @@ Patch735:       0006-efi-Set-image-base-address-before-jumping-to-the-PE-.patch
 Patch736:       0007-linuxefi-fail-kernel-validation-without-shim-protoco.patch
 Patch737:       0008-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch
 Patch738:       0009-squash-Add-support-for-linuxefi.patch
+Patch739:       0001-Fix-build-error-in-binutils-2.36.patch
+Patch740:       0001-emu-fix-executable-stack-marking.patch
 
 Requires:       gettext-runtime
 %if 0%{?suse_version} >= 1140
@@ -468,10 +470,6 @@ Requires(post): perl-Bootloader >= 0.706
 %endif
 Provides:       %{name}-efi = %{version}-%{release}
 Obsoletes:      %{name}-efi < %{version}-%{release}
-%ifarch x86_64
-Conflicts:      python2-kiwi < 9.17.12
-Conflicts:      python3-kiwi < 9.17.12
-%endif
 
 %description %{grubefiarch}
 The GRand Unified Bootloader (GRUB) is a highly configurable and customizable
@@ -504,7 +502,6 @@ Group:          System/Boot
 Provides:       %{name}-xen = %{version}-%{release}
 Obsoletes:      %{name}-xen < %{version}-%{release}
 BuildArch:      noarch
-Conflicts:      xen < 4.12.0_03
 
 %description %{grubxenarch}
 The GRand Unified Bootloader (GRUB) is a highly configurable and customizable
@@ -685,6 +682,8 @@ swap partition while in resuming
 %patch736 -p1
 %patch737 -p1
 %patch738 -p1
+%patch739 -p1
+%patch740 -p1
 
 %build
 # collect evidence to debug spurious build failure on SLE15
@@ -866,6 +865,14 @@ cd ..
 cd build-xen
 %make_install
 install -m 644 grub.xen %{buildroot}/%{_datadir}/%{name}/%{grubxenarch}/.
+# provide compatibility sym-link for VM definitions pointing to old location
+install -d %{buildroot}%{_libdir}/%{name}/%{grubxenarch}
+ln -srf %{buildroot}%{_datadir}/%{name}/%{grubxenarch}/grub.xen %{buildroot}%{_libdir}/%{name}/%{grubxenarch}/grub.xen
+cat <<-EoM >%{buildroot}%{_libdir}/%{name}/%{grubxenarch}/DEPRECATED
+	This directory and its contents was moved to %{_datadir}/%{name}/%{grubxenarch}.
+	Individual symbolic links are provided for a smooth transition.
+	Please update your VM definition files to use the new location!
+EoM
 cd ..
 %endif
 
@@ -883,6 +890,16 @@ install -m 644 grub-tpm.efi %{buildroot}/%{_datadir}/%{name}/%{grubefiarch}/.
 %define sysefidir %{sysefibasedir}/%{_target_cpu} 
 install -d %{buildroot}/%{sysefidir}
 ln -sr %{buildroot}/%{_datadir}/%{name}/%{grubefiarch}/grub.efi %{buildroot}%{sysefidir}/grub.efi
+%ifarch x86_64
+# provide compatibility sym-link for previous shim-install and the like
+install -d %{buildroot}/usr/lib64/efi
+ln -srf %{buildroot}/%{_datadir}/%{name}/%{grubefiarch}/grub.efi %{buildroot}/usr/lib64/efi/grub.efi
+cat <<-EoM >%{buildroot}/usr/lib64/efi/DEPRECATED
+	This directory and its contents was moved to %{_datadir}/efi/x86_64.
+	Individual symbolic links are provided for a smooth transition and
+	may vanish at any point in time.  Please use the new location!
+EoM
+%endif
 
 %ifarch x86_64 aarch64
 %if 0%{?suse_version} >= 1230 || 0%{?suse_version} == 1110
@@ -1310,6 +1327,12 @@ fi
 %dir %{sysefidir}
 %{sysefidir}/grub.efi
 %if 0%{?suse_version} < 1600
+%ifarch x86_64
+# provide compatibility sym-link for previous shim-install and kiwi
+%dir /usr/lib64/efi
+/usr/lib64/efi/DEPRECATED
+/usr/lib64/efi/grub.efi
+%endif
 %endif
 
 %ifarch x86_64 aarch64
@@ -1338,6 +1361,9 @@ fi
 %defattr(-,root,root,-)
 %dir %{_datadir}/%{name}/%{grubxenarch}
 %{_datadir}/%{name}/%{grubxenarch}/*
+# provide compatibility sym-link for VM definitions pointing to old location
+%dir %{_libdir}/%{name}
+%{_libdir}/%{name}/%{grubxenarch}
 %endif
 
 %if 0%{?has_systemd:1}