Backport 30 patches to bring grub 2.06 up to SBAT level 2 and resolve vulnerabilities for CVE-2021-3695, CVE-2021-3696, CVE-2021-3697, CVE-2022-28733, CVE-2022-28734, CVE-2022-28735, and CVE-2022-28736.
* Adding XFS as a root filesystem type
Adding support to provision Mariner with a root filesystem
of type xfs
* Allow Grub to boot XFS
Insert the xfs module allowing grub to boot XFS
* Adding xfs progs to toolchain
To support XFS adding xfsprogs into the mariner build
toolchain
* Addresing PR comments
- Removing xfsprogs from toolchain list
- adding xfsprogs to prereq documentation
* first commit of MarinerFedRamp2.0
* first commit for FedRAMP2.0
* patched all the asc cases in source code
* address Daniel's review comments for Mariner 2.0 FedRAMP
* move dsiabling ICMP redirect from source to packer
* Update SPECS/shadow-utils/shadow-utils.spec
Co-authored-by: Christopher Co <35273088+christopherco@users.noreply.github.com>
* Update SPECS/fedramp/fedramp.spec
Co-authored-by: Christopher Co <35273088+christopherco@users.noreply.github.com>
* address the comments in 2nd round reviews
* add asc.spec to replace fedramp.spec
* delete fedramp spec
* fix typo and remove changes for system-password
* update manifest file
* remove some unnecessary changes
* add empty line at end
* update to pass PR check
* address 1st round review comments
* update changelog for license
* address review comments
* remove ssh access
Co-authored-by: rmhsawyer <mingheren@gmail.com>
Co-authored-by: Christopher Co <35273088+christopherco@users.noreply.github.com>
* staging for now
* update grub2
* add grub pxe binary
* fix mistake in spec
* revert unnecessary changes
* add subpackage and update binary name
* update changes
* Update SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec
Co-authored-by: Christopher Co <35273088+christopherco@users.noreply.github.com>
Co-authored-by: Henry Li <lihl@microsoft.com>
Co-authored-by: Christopher Co <35273088+christopherco@users.noreply.github.com>
* [1.0] shim: update shim bootloader (#2157)
* shim: update key used
Our current keys have a 1 year expiration time, and it will expire
shortly. Update the key to one that will expire in 10/13/22. Ultimately
we plan to move to a longer lived CA cert once that is made available.
* shim: Add critical patches
* shim: Update to new signed shim bootloader binary
New shim bootloader contains the renewed Mariner Secure Boot Production
key embedded inside. And this shim binary itself is signed with the MS
UEFI CA.
* grub: bump release number to force re-signing
In order to not regress current users of the grub2-2.06~rc1-7 package,
bump release number which will cause the newer grubx64.efi inside the
grub2-efi-binary-2.06~rc1-8 package to be signed with the updated secure
boot key that matches with the one embedded in the 15.4-2 shim binary.
* License verified
Signed-off-by: Chris Co <chrco@microsoft.com>
* grub-signed: Commonize on one spec
Use macros to swap spec contents based on build architecture. We will
still create an SRPM per arch, each with a unique name, so there is no
risk of SRPM name collision.
* grub-signed: Define new grub2-efi-binary subpackage
New subpackage will contain the signed grubx64.efi/grubaa64.efi binary.
This package name is identical to the unsigned version and we will
prefer to use this signed version if built.
* grub-signed: rename files
* grub2: bump spec version to match signed version
* Update github action checks
CG manifest, license file, and spec entanglement checks are failing
due to the grub-efi-binary-signed naming change. Update the checks to
account for the new name.
* grub2-signed: rename source0 to match subpackage
Source0 previous pointed to grub2-efi-unsigned rpm which technically
can work but it would be better to use the grub2-efi-binary package
instead because grub2-efi-binary package is ultimately the package we
will be replacing. We can also perform checks to make sure the output
rpm matches the inputs, modulo the signed binary.
Signed-off-by: Chris Co <chrco@microsoft.com>
Add a few more F34 patches that are useful to carry.
Patches:
- 017: fix for passing the kernel command line
- 037, 052: updates the documentation and makes patch 166 apply cleanly
- 069: Fix for tsc problem
- 166: Prevent user from overwriting signed grub EFI binary when using
grub2-install
Signed-off-by: Chris Co <chrco@microsoft.com>
Update grub2 from 2.02 to 2.06-rc1 which handles BootHole v2. Additionally, we
drop all previous patches and rebaseline using a minimal number of patches
from FC34. These patches implement Secure Boot Handover protocol (needed
so the TPM Eventlog can be exposed to the kernel for TPM attestation scenarios)
and a few other nice-to-have fixes.
2.06 also introduces a new generation number based revocation mechanism known
as Secure Boot Advanced Targeting (SBAT) into the grub EFI binary. Components
that utilize the SHIM for secure boot will add an .sbat field into their binary's
PE-header, allowing the SHIM to check the component's sbat field against known
good component versions and allow for version-based revocation.
Signed-off-by: Chris Co <chrco@microsoft.com>
As part of enabling UEFI Secure Boot, the grub2 EFI binary must be
signed with our distro key.
At the moment, the signing infrastructure isn't quite ready to perform
inline signing during package build. So to work around this, we
introduced the grub2-efi-binary-signed-<arch> packages. The purpose
of these packages is to supply a way for signed versions of the
grub efi binary to land on the end-user's filesystem.
Gary Swalling
Cameron E Baird
Daniel McIlvaney
AZaugg
Mykhailo Bykhovtsev
joejoew
Minghe Ren
Henry Li
Andrew Phelps
Christopher Co
Pawel Winogrodzki
Thomas Crain
rlmenge
Chris Co
Jon Slobodzian