Bug 1722938

Summary: Include several modules in the EFI build of Grub2 for security use-cases
Product: [Fedora] Fedora Reporter: Ben Cotton <bcotton>
Component: Changes TrackingAssignee: Benjamin <benjamin.doron00>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 31CC: bcotton, benjamin.doron00, fmartine, joseph.tingiris, marcel, pjones
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: grub2-2.02-91.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-29 17:13:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patches grub.macros to satisfy the change proposal
none
automates the setup of sig verification
none
kernel postinstall file. needs review and should utilise kernel-install's command line arguments none

Description Ben Cotton 2019-06-21 18:28:01 UTC
This is a tracking bug for Change: Include several modules in the EFI build of Grub2 for security use-cases
For more details, see: https://fedoraproject.org/wiki/Changes/Include_security_modules_in_efi_Grub2

Include Grub's "verify," "cryptodisk" and "luks" modules in grubx64.efi of the 'grub2-efi-x64' package.

Comment 1 Benjamin 2019-07-06 15:47:17 UTC
Hi,

Pull requests seem to be disabled for rpms/grub2, so I'm attaching a patch or you can pull from https://src.fedoraproject.org/fork/benjamind/rpms/grub2/c/f1fa5ed240873321c2dd27320c833f45daef3a66?branch=master.

I'm attaching two scripts that I wrote to assist the signature verification portion of the change, and while I know that I should edit the second to properly use kernel-install, I don't think it can be shipped for the moment anyway because it wasn't made part of the change proposal initially. In the meantime, it may be useful for testing (it does work for me in its current state). The first simply automates a lot of the process.

Comment 2 Benjamin 2019-07-06 15:48:50 UTC
Created attachment 1587914 [details]
patches grub.macros to satisfy the change proposal

Comment 3 Benjamin 2019-07-06 15:49:42 UTC
Created attachment 1587915 [details]
automates the setup of sig verification

Comment 4 Benjamin 2019-07-06 15:52:36 UTC
Created attachment 1587916 [details]
kernel postinstall file. needs review and should utilise kernel-install's command line arguments

Place in /usr/lib/kernel/install.d/ and name it "99-grub_verify.install"

Comment 5 Javier Martinez Canillas 2019-07-15 10:57:40 UTC
Fixed in grub2-2.02-91.fc31.

Comment 6 Ben Cotton 2019-08-13 16:55:06 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.

Comment 7 Ben Cotton 2019-08-13 19:02:28 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.

Comment 8 Ben Cotton 2019-08-29 19:27:40 UTC
We have reached the '100% Code Complete' milestone in the Fedora 31 release cycle. If your Change is complete, please set the status to ON_QA. The Beta Freeze is underway. If you need a freeze exception, see https://fedoraproject.org/wiki/QA:SOP_freeze_exception_bug_process

If this Change will not be ready for Fedora 31, please set the version to rawhide.

Comment 9 Benjamin 2019-08-29 22:01:58 UTC
I re-conferred with Javier a bit ago about reconsidering the above scripts for inclusion, but he told me that it was too close to the branch point.

With them out of the picture, this change is complete.

Comment 10 Ben Cotton 2019-10-29 17:13:57 UTC
Closing Change tracking bugs for the Fedora 31 release.