diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d23331458e1bab1b7a742558bec236e3612..0000000000000000000000000000000000000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/0481-ieee1275-drop-HEAP_MAX_ADDR-HEAP_MIN_SIZE.patch b/SOURCES/0481-ieee1275-drop-HEAP_MAX_ADDR-HEAP_MIN_SIZE.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d24a587047cd57038ff79952aa13548ef1e5d71b
--- /dev/null
+++ b/SOURCES/0481-ieee1275-drop-HEAP_MAX_ADDR-HEAP_MIN_SIZE.patch
@@ -0,0 +1,75 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Wed, 14 Apr 2021 20:10:23 +1000
+Subject: [PATCH] ieee1275: drop HEAP_MAX_ADDR, HEAP_MIN_SIZE
+
+HEAP_MAX_ADDR is confusing. Currently it is set to 32MB, except
+on ieee1275 on x86, where it is 64MB.
+
+There is a comment which purports to explain it:
+
+/* If possible, we will avoid claiming heap above this address, because it
+ seems to cause relocation problems with OSes that link at 4 MiB */
+
+This doesn't make a lot of sense when the constants are well above 4MB
+already. It was not always this way. Prior to
+commit 7b5d0fe4440c ("Increase heap limit") in 2010, HEAP_MAX_SIZE and
+HEAP_MAX_ADDR were indeed 4MB. However, when the constants were increased
+the comment was left unchanged.
+
+It's been over a decade. It doesn't seem like we have problems with
+claims over 4MB on powerpc or x86 ieee1275. (sparc does things completely
+differently and never used the constant.)
+
+Drop the constant and the check.
+
+The only use of HEAP_MIN_SIZE was to potentially override the
+HEAP_MAX_ADDR check. It is now unused. Remove it.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+---
+ grub-core/kern/ieee1275/init.c | 17 -----------------
+ 1 file changed, 17 deletions(-)
+
+diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
+index 22dc3013d86..ee97d761d1e 100644
+--- a/grub-core/kern/ieee1275/init.c
++++ b/grub-core/kern/ieee1275/init.c
+@@ -42,9 +42,6 @@
+ #include <grub/machine/kernel.h>
+ #endif
+
+-/* The minimal heap size we can live with. */
+-#define HEAP_MIN_SIZE (unsigned long) (2 * 1024 * 1024)
+-
+ /* The maximum heap size we're going to claim */
+ #ifdef __i386__
+ #define HEAP_MAX_SIZE (unsigned long) (64 * 1024 * 1024)
+@@ -52,14 +49,6 @@
+ #define HEAP_MAX_SIZE (unsigned long) (32 * 1024 * 1024)
+ #endif
+
+-/* If possible, we will avoid claiming heap above this address, because it
+- seems to cause relocation problems with OSes that link at 4 MiB */
+-#ifdef __i386__
+-#define HEAP_MAX_ADDR (unsigned long) (64 * 1024 * 1024)
+-#else
+-#define HEAP_MAX_ADDR (unsigned long) (32 * 1024 * 1024)
+-#endif
+-
+ extern char _end[];
+
+ #ifdef __sparc__
+@@ -181,12 +170,6 @@ heap_init (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
+ if (*total + len > HEAP_MAX_SIZE)
+ len = HEAP_MAX_SIZE - *total;
+
+- /* Avoid claiming anything above HEAP_MAX_ADDR, if possible. */
+- if ((addr < HEAP_MAX_ADDR) && /* if it's too late, don't bother */
+- (addr + len > HEAP_MAX_ADDR) && /* if it wasn't available anyway, don't bother */
+- (*total + (HEAP_MAX_ADDR - addr) > HEAP_MIN_SIZE)) /* only limit ourselves when we can afford to */
+- len = HEAP_MAX_ADDR - addr;
+-
+ /* In theory, firmware should already prevent this from happening by not
+ listing our own image in /memory/available. The check below is intended
+ as a safeguard in case that doesn't happen. However, it doesn't protect
diff --git a/SOURCES/0482-ieee1275-claim-more-memory.patch b/SOURCES/0482-ieee1275-claim-more-memory.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3499290e8e2e938bab6d310d473b1bf9a7759450
--- /dev/null
+++ b/SOURCES/0482-ieee1275-claim-more-memory.patch
@@ -0,0 +1,252 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Wed, 15 Apr 2020 23:28:29 +1000
+Subject: [PATCH] ieee1275: claim more memory
+
+On powerpc-ieee1275, we are running out of memory trying to verify
+anything. This is because:
+
+ - we have to load an entire file into memory to verify it. This is
+ extremely difficult to change with appended signatures.
+ - We only have 32MB of heap.
+ - Distro kernels are now often around 30MB.
+
+So we want to claim more memory from OpenFirmware for our heap.
+
+There are some complications:
+
+ - The grub mm code isn't the only thing that will make claims on
+ memory from OpenFirmware:
+
+ * PFW/SLOF will have claimed some for their own use.
+
+ * The ieee1275 loader will try to find other bits of memory that we
+ haven't claimed to place the kernel and initrd when we go to boot.
+
+ * Once we load Linux, it will also try to claim memory. It claims
+ memory without any reference to /memory/available, it just starts
+ at min(top of RMO, 768MB) and works down. So we need to avoid this
+ area. See arch/powerpc/kernel/prom_init.c as of v5.11.
+
+ - The smallest amount of memory a ppc64 KVM guest can have is 256MB.
+ It doesn't work with distro kernels but can work with custom kernels.
+ We should maintain support for that. (ppc32 can boot with even less,
+ and we shouldn't break that either.)
+
+ - Even if a VM has more memory, the memory OpenFirmware makes available
+ as Real Memory Area can be restricted. A freshly created LPAR on a
+ PowerVM machine is likely to have only 256MB available to OpenFirmware
+ even if it has many gigabytes of memory allocated.
+
+EFI systems will attempt to allocate 1/4th of the available memory,
+clamped to between 1M and 1600M. That seems like a good sort of
+approach, we just need to figure out if 1/4 is the right fraction
+for us.
+
+We don't know in advance how big the kernel and initrd are going to be,
+which makes figuring out how much memory we can take a bit tricky.
+
+To figure out how much memory we should leave unused, I looked at:
+
+ - an Ubuntu 20.04.1 ppc64le pseries KVM guest:
+ vmlinux: ~30MB
+ initrd: ~50MB
+
+ - a RHEL8.2 ppc64le pseries KVM guest:
+ vmlinux: ~30MB
+ initrd: ~30MB
+
+Ubuntu VMs struggle to boot with just 256MB under SLOF.
+RHEL likewise has a higher minimum supported memory figure.
+So lets first consider a distro kernel and 512MB of addressible memory.
+(This is the default case for anything booting under PFW.) Say we lose
+131MB to PFW (based on some tests). This leaves us 381MB. 1/4 of 381MB
+is ~95MB. That should be enough to verify a 30MB vmlinux and should
+leave plenty of space to load Linux and the initrd.
+
+If we consider 256MB of RMA under PFW, we have just 125MB remaining. 1/4
+of that is a smidge under 32MB, which gives us very poor odds of verifying
+a distro-sized kernel. However, if we need 80MB just to put the kernel
+and initrd in memory, we can't claim any more than 45MB anyway. So 1/4
+will do. We'll come back to this later.
+
+grub is always built as a 32-bit binary, even if it's loading a ppc64
+kernel. So we can't address memory beyond 4GB. This gives a natural cap
+of 1GB for powerpc-ieee1275.
+
+Also apply this 1/4 approach to i386-ieee1275, but keep the 32MB cap.
+
+make check still works for both i386 and powerpc and I've booted
+powerpc grub with this change under SLOF and PFW.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+---
+ grub-core/kern/ieee1275/init.c | 81 +++++++++++++++++++++++++++++++++---------
+ docs/grub-dev.texi | 6 ++--
+ 2 files changed, 69 insertions(+), 18 deletions(-)
+
+diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
+index ee97d761d1e..a6e169bd003 100644
+--- a/grub-core/kern/ieee1275/init.c
++++ b/grub-core/kern/ieee1275/init.c
+@@ -42,11 +42,12 @@
+ #include <grub/machine/kernel.h>
+ #endif
+
+-/* The maximum heap size we're going to claim */
++/* The maximum heap size we're going to claim. Not used by sparc.
++ We allocate 1/4 of the available memory under 4G, up to this limit. */
+ #ifdef __i386__
+ #define HEAP_MAX_SIZE (unsigned long) (64 * 1024 * 1024)
+-#else
+-#define HEAP_MAX_SIZE (unsigned long) (32 * 1024 * 1024)
++#else // __powerpc__
++#define HEAP_MAX_SIZE (unsigned long) (1 * 1024 * 1024 * 1024)
+ #endif
+
+ extern char _end[];
+@@ -143,16 +144,45 @@ grub_claim_heap (void)
+ + GRUB_KERNEL_MACHINE_STACK_SIZE), 0x200000);
+ }
+ #else
+-/* Helper for grub_claim_heap. */
++/* Helper for grub_claim_heap on powerpc. */
++static int
++heap_size (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
++ void *data)
++{
++ grub_uint32_t total = *(grub_uint32_t *)data;
++
++ if (type != GRUB_MEMORY_AVAILABLE)
++ return 0;
++
++ /* Do not consider memory beyond 4GB */
++ if (addr > 0xffffffffUL)
++ return 0;
++
++ if (addr + len > 0xffffffffUL)
++ len = 0xffffffffUL - addr;
++
++ total += len;
++ *(grub_uint32_t *)data = total;
++
++ return 0;
++}
++
+ static int
+ heap_init (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
+ void *data)
+ {
+- unsigned long *total = data;
++ grub_uint32_t total = *(grub_uint32_t *)data;
+
+ if (type != GRUB_MEMORY_AVAILABLE)
+ return 0;
+
++ /* Do not consider memory beyond 4GB */
++ if (addr > 0xffffffffUL)
++ return 0;
++
++ if (addr + len > 0xffffffffUL)
++ len = 0xffffffffUL - addr;
++
+ if (grub_ieee1275_test_flag (GRUB_IEEE1275_FLAG_NO_PRE1_5M_CLAIM))
+ {
+ if (addr + len <= 0x180000)
+@@ -166,10 +196,6 @@ heap_init (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
+ }
+ len -= 1; /* Required for some firmware. */
+
+- /* Never exceed HEAP_MAX_SIZE */
+- if (*total + len > HEAP_MAX_SIZE)
+- len = HEAP_MAX_SIZE - *total;
+-
+ /* In theory, firmware should already prevent this from happening by not
+ listing our own image in /memory/available. The check below is intended
+ as a safeguard in case that doesn't happen. However, it doesn't protect
+@@ -181,6 +207,18 @@ heap_init (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
+ len = 0;
+ }
+
++ /* If this block contains 0x30000000 (768MB), do not claim below that.
++ Linux likes to claim memory at min(RMO top, 768MB) and works down
++ without reference to /memory/available. */
++ if ((addr < 0x30000000) && ((addr + len) > 0x30000000))
++ {
++ len = len - (0x30000000 - addr);
++ addr = 0x30000000;
++ }
++
++ if (len > total)
++ len = total;
++
+ if (len)
+ {
+ grub_err_t err;
+@@ -189,10 +227,12 @@ heap_init (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
+ if (err)
+ return err;
+ grub_mm_init_region ((void *) (grub_addr_t) addr, len);
++ total -= len;
+ }
+
+- *total += len;
+- if (*total >= HEAP_MAX_SIZE)
++ *(grub_uint32_t *)data = total;
++
++ if (total == 0)
+ return 1;
+
+ return 0;
+@@ -201,13 +241,22 @@ heap_init (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
+ static void
+ grub_claim_heap (void)
+ {
+- unsigned long total = 0;
++ grub_uint32_t total = 0;
+
+ if (grub_ieee1275_test_flag (GRUB_IEEE1275_FLAG_FORCE_CLAIM))
+- heap_init (GRUB_IEEE1275_STATIC_HEAP_START, GRUB_IEEE1275_STATIC_HEAP_LEN,
+- 1, &total);
+- else
+- grub_machine_mmap_iterate (heap_init, &total);
++ {
++ heap_init (GRUB_IEEE1275_STATIC_HEAP_START, GRUB_IEEE1275_STATIC_HEAP_LEN,
++ 1, &total);
++ return;
++ }
++
++ grub_machine_mmap_iterate (heap_size, &total);
++
++ total = total / 4;
++ if (total > HEAP_MAX_SIZE)
++ total = HEAP_MAX_SIZE;
++
++ grub_machine_mmap_iterate (heap_init, &total);
+ }
+ #endif
+
+diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi
+index 421dd410e50..03d53498c51 100644
+--- a/docs/grub-dev.texi
++++ b/docs/grub-dev.texi
+@@ -930,7 +930,9 @@ space is limited to 4GiB. GRUB allocates pages from EFI for its heap, at most
+ 1.6 GiB.
+
+ On i386-ieee1275 and powerpc-ieee1275 GRUB uses same stack as IEEE1275.
+-It allocates at most 32MiB for its heap.
++
++On i386-ieee1275, GRUB allocates at most 32MiB for its heap. On
++powerpc-ieee1275, GRUB allocates up to 1GiB.
+
+ On sparc64-ieee1275 stack is 256KiB and heap is 2MiB.
+
+@@ -958,7 +960,7 @@ In short:
+ @item i386-qemu @tab 60 KiB @tab < 4 GiB
+ @item *-efi @tab ? @tab < 1.6 GiB
+ @item i386-ieee1275 @tab ? @tab < 32 MiB
+-@item powerpc-ieee1275 @tab ? @tab < 32 MiB
++@item powerpc-ieee1275 @tab ? @tab < 1 GiB
+ @item sparc64-ieee1275 @tab 256KiB @tab 2 MiB
+ @item arm-uboot @tab 256KiB @tab 2 MiB
+ @item mips(el)-qemu_mips @tab 2MiB @tab 253 MiB
diff --git a/SOURCES/0483-ieee1275-request-memory-with-ibm-client-architecture.patch b/SOURCES/0483-ieee1275-request-memory-with-ibm-client-architecture.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9f4e2b733a506460c6c54f1ccdaf037f915184aa
--- /dev/null
+++ b/SOURCES/0483-ieee1275-request-memory-with-ibm-client-architecture.patch
@@ -0,0 +1,268 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 16 Apr 2021 11:48:46 +1000
+Subject: [PATCH] ieee1275: request memory with ibm,client-architecture-support
+
+On PowerVM, the first time we boot a Linux partition, we may only get
+256MB of real memory area, even if the partition has more memory.
+
+This isn't really enough. Fortunately, the Power Architecture Platform
+Reference (PAPR) defines a method we can call to ask for more memory.
+This is part of the broad and powerful ibm,client-architecture-support
+(CAS) method.
+
+CAS can do an enormous amount of things on a PAPR platform: as well as
+asking for memory, you can set the supported processor level, the interrupt
+controller, hash vs radix mmu, and so on. We want to touch as little of
+this as possible because we don't want to step on the toes of the future OS.
+
+If:
+
+ - we are running under what we think is PowerVM (compatible property of /
+ begins with "IBM"), and
+
+ - the full amount of RMA is less than 512MB (as determined by the reg
+ property of /memory)
+
+then call CAS as follows: (refer to the Linux on Power Architecture
+Reference, LoPAR, which is public, at B.5.2.3):
+
+ - Use the "any" PVR value and supply 2 option vectors.
+
+ - Set option vector 1 (PowerPC Server Processor Architecture Level)
+ to "ignore".
+
+ - Set option vector 2 with default or Linux-like options, including a
+ min-rma-size of 512MB.
+
+This will cause a CAS reboot and the partition will restart with 512MB
+of RMA. Grub will notice the 512MB and not call CAS again.
+
+(A partition can be configured with only 256MB of memory, which would
+mean this request couldn't be satisfied, but PFW refuses to load with
+only 256MB of memory, so it's a bit moot. SLOF will run fine with 256MB,
+but we will never call CAS under qemu/SLOF because /compatible won't
+begin with "IBM".)
+
+One of the first things Linux does while still running under OpenFirmware
+is to call CAS with a much fuller set of options (including asking for
+512MB of memory). This includes a much more restrictive set of PVR values
+and processor support levels, and this will induce another reboot. On this
+reboot grub will again notice the higher RMA, and not call CAS. We will get
+to Linux, Linux will call CAS but because the values are now set for Linux
+this will not induce another CAS reboot and we will finally boot.
+
+On all subsequent boots, everything will be configured with 512MB of RMA
+and all the settings Linux likes, so there will be no further CAS reboots.
+
+(phyp is super sticky with the RMA size - it persists even on cold boots.
+So if you've ever booted Linux in a partition, you'll probably never have
+grub call CAS. It'll only ever fire the first time a partition loads grub,
+or if you deliberately lower the amount of memory your partition has below
+512MB.)
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+---
+ grub-core/kern/ieee1275/cmain.c | 3 +
+ grub-core/kern/ieee1275/init.c | 144 ++++++++++++++++++++++++++++++++++++++-
+ include/grub/ieee1275/ieee1275.h | 8 ++-
+ 3 files changed, 152 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/kern/ieee1275/cmain.c b/grub-core/kern/ieee1275/cmain.c
+index 3e14f539368..9d5156462c1 100644
+--- a/grub-core/kern/ieee1275/cmain.c
++++ b/grub-core/kern/ieee1275/cmain.c
+@@ -124,6 +124,9 @@ grub_ieee1275_find_options (void)
+ break;
+ }
+ }
++
++ if (grub_strncmp (tmp, "IBM,", 4) == 0)
++ grub_ieee1275_set_flag (GRUB_IEEE1275_FLAG_CAN_TRY_CAS_FOR_MORE_MEMORY);
+ }
+
+ if (is_smartfirmware)
+diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
+index a6e169bd003..adf4bd5a88b 100644
+--- a/grub-core/kern/ieee1275/init.c
++++ b/grub-core/kern/ieee1275/init.c
+@@ -238,6 +238,135 @@ heap_init (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
+ return 0;
+ }
+
++/* How much memory does OF believe it has? (regardless of whether
++ it's accessible or not) */
++static grub_err_t
++grub_ieee1275_total_mem (grub_uint64_t *total)
++{
++ grub_ieee1275_phandle_t root;
++ grub_ieee1275_phandle_t memory;
++ grub_uint32_t reg[4];
++ grub_ssize_t reg_size;
++ grub_uint32_t address_cells = 1;
++ grub_uint32_t size_cells = 1;
++ grub_uint64_t size;
++
++ /* If we fail to get to the end, report 0. */
++ *total = 0;
++
++ /* Determine the format of each entry in `reg'. */
++ grub_ieee1275_finddevice ("/", &root);
++ grub_ieee1275_get_integer_property (root, "#address-cells", &address_cells,
++ sizeof address_cells, 0);
++ grub_ieee1275_get_integer_property (root, "#size-cells", &size_cells,
++ sizeof size_cells, 0);
++
++ if (size_cells > address_cells)
++ address_cells = size_cells;
++
++ /* Load `/memory/reg'. */
++ if (grub_ieee1275_finddevice ("/memory", &memory))
++ return grub_error (GRUB_ERR_UNKNOWN_DEVICE,
++ "couldn't find /memory node");
++ if (grub_ieee1275_get_integer_property (memory, "reg", reg,
++ sizeof reg, ®_size))
++ return grub_error (GRUB_ERR_UNKNOWN_DEVICE,
++ "couldn't examine /memory/reg property");
++ if (reg_size < 0 || (grub_size_t) reg_size > sizeof (reg))
++ return grub_error (GRUB_ERR_UNKNOWN_DEVICE,
++ "/memory response buffer exceeded");
++
++ if (grub_ieee1275_test_flag (GRUB_IEEE1275_FLAG_BROKEN_ADDRESS_CELLS))
++ {
++ address_cells = 1;
++ size_cells = 1;
++ }
++
++ /* Decode only the size */
++ size = reg[address_cells];
++ if (size_cells == 2)
++ size = (size << 32) | reg[address_cells + 1];
++
++ *total = size;
++
++ return grub_errno;
++}
++
++/* Based on linux - arch/powerpc/kernel/prom_init.c */
++struct option_vector2 {
++ grub_uint8_t byte1;
++ grub_uint16_t reserved;
++ grub_uint32_t real_base;
++ grub_uint32_t real_size;
++ grub_uint32_t virt_base;
++ grub_uint32_t virt_size;
++ grub_uint32_t load_base;
++ grub_uint32_t min_rma;
++ grub_uint32_t min_load;
++ grub_uint8_t min_rma_percent;
++ grub_uint8_t max_pft_size;
++} __attribute__((packed));
++
++struct pvr_entry {
++ grub_uint32_t mask;
++ grub_uint32_t entry;
++};
++
++struct cas_vector {
++ struct {
++ struct pvr_entry terminal;
++ } pvr_list;
++ grub_uint8_t num_vecs;
++ grub_uint8_t vec1_size;
++ grub_uint8_t vec1;
++ grub_uint8_t vec2_size;
++ struct option_vector2 vec2;
++} __attribute__((packed));
++
++/* Call ibm,client-architecture-support to try to get more RMA.
++ We ask for 512MB which should be enough to verify a distro kernel.
++ We ignore most errors: if we don't succeed we'll proceed with whatever
++ memory we have. */
++static void
++grub_ieee1275_ibm_cas (void)
++{
++ int rc;
++ grub_ieee1275_ihandle_t root;
++ struct cas_args {
++ struct grub_ieee1275_common_hdr common;
++ grub_ieee1275_cell_t method;
++ grub_ieee1275_ihandle_t ihandle;
++ grub_ieee1275_cell_t cas_addr;
++ grub_ieee1275_cell_t result;
++ } args;
++ struct cas_vector vector = {
++ .pvr_list = { { 0x00000000, 0xffffffff } }, /* any processor */
++ .num_vecs = 2 - 1,
++ .vec1_size = 0,
++ .vec1 = 0x80, /* ignore */
++ .vec2_size = 1 + sizeof(struct option_vector2) - 2,
++ .vec2 = {
++ 0, 0, -1, -1, -1, -1, -1, 512, -1, 0, 48
++ },
++ };
++
++ INIT_IEEE1275_COMMON (&args.common, "call-method", 3, 2);
++ args.method = (grub_ieee1275_cell_t)"ibm,client-architecture-support";
++ rc = grub_ieee1275_open("/", &root);
++ if (rc) {
++ grub_error (GRUB_ERR_IO, "could not open root when trying to call CAS");
++ return;
++ }
++ args.ihandle = root;
++ args.cas_addr = (grub_ieee1275_cell_t)&vector;
++
++ grub_printf("Calling ibm,client-architecture-support...");
++ IEEE1275_CALL_ENTRY_FN (&args);
++ grub_printf("done\n");
++
++ grub_ieee1275_close(root);
++}
++
+ static void
+ grub_claim_heap (void)
+ {
+@@ -245,11 +374,22 @@ grub_claim_heap (void)
+
+ if (grub_ieee1275_test_flag (GRUB_IEEE1275_FLAG_FORCE_CLAIM))
+ {
+- heap_init (GRUB_IEEE1275_STATIC_HEAP_START, GRUB_IEEE1275_STATIC_HEAP_LEN,
+- 1, &total);
++ heap_init (GRUB_IEEE1275_STATIC_HEAP_START,
++ GRUB_IEEE1275_STATIC_HEAP_LEN, 1, &total);
+ return;
+ }
+
++ if (grub_ieee1275_test_flag (GRUB_IEEE1275_FLAG_CAN_TRY_CAS_FOR_MORE_MEMORY))
++ {
++ grub_uint64_t rma_size;
++ grub_err_t err;
++
++ err = grub_ieee1275_total_mem (&rma_size);
++ /* if we have an error, don't call CAS, just hope for the best */
++ if (!err && rma_size < (512 * 1024 * 1024))
++ grub_ieee1275_ibm_cas();
++ }
++
+ grub_machine_mmap_iterate (heap_size, &total);
+
+ total = total / 4;
+diff --git a/include/grub/ieee1275/ieee1275.h b/include/grub/ieee1275/ieee1275.h
+index ca08bd96681..131808d6197 100644
+--- a/include/grub/ieee1275/ieee1275.h
++++ b/include/grub/ieee1275/ieee1275.h
+@@ -147,7 +147,13 @@ enum grub_ieee1275_flag
+
+ GRUB_IEEE1275_FLAG_CURSORONOFF_ANSI_BROKEN,
+
+- GRUB_IEEE1275_FLAG_DISABLE_VIDEO_SUPPORT
++ GRUB_IEEE1275_FLAG_DISABLE_VIDEO_SUPPORT,
++
++ /* On PFW, the first time we boot a Linux partition, we may only get 256MB
++ of real memory area, even if the partition has more memory. Set this flag
++ if we think we're running under PFW. Then, if this flag is set, and the
++ RMA is only 256MB in size, try asking for more with CAS. */
++ GRUB_IEEE1275_FLAG_CAN_TRY_CAS_FOR_MORE_MEMORY,
+ };
+
+ extern int EXPORT_FUNC(grub_ieee1275_test_flag) (enum grub_ieee1275_flag flag);
diff --git a/SOURCES/0484-appendedsig-x509-Also-handle-the-Extended-Key-Usage-.patch b/SOURCES/0484-appendedsig-x509-Also-handle-the-Extended-Key-Usage-.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f65f498fa9b384201890ea3fbbf427f70ed75b8a
--- /dev/null
+++ b/SOURCES/0484-appendedsig-x509-Also-handle-the-Extended-Key-Usage-.patch
@@ -0,0 +1,315 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Sat, 8 May 2021 02:27:58 +0200
+Subject: [PATCH] appendedsig/x509: Also handle the Extended Key Usage
+ extension
+
+Red Hat certificates have both Key Usage and Extended Key Usage extensions
+present, but the appended signatures x509 parser doesn't handle the latter
+and so buils due finding an unrecognised critical extension:
+
+Error loading initial key:
+../../grub-core/commands/appendedsig/x509.c:780:Unhandled critical x509 extension with OID 2.5.29.37
+
+Fix this by also parsing the Extended Key Usage extension and handle it by
+verifying that the certificate has a single purpose, that is code signing.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+---
+ grub-core/commands/appendedsig/x509.c | 94 ++++++++++++++++++++++++++++++-
+ grub-core/tests/appended_signature_test.c | 29 +++++++++-
+ grub-core/tests/appended_signatures.h | 81 ++++++++++++++++++++++++++
+ 3 files changed, 201 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/commands/appendedsig/x509.c b/grub-core/commands/appendedsig/x509.c
+index 652e4f16870..34a2070a7c9 100644
+--- a/grub-core/commands/appendedsig/x509.c
++++ b/grub-core/commands/appendedsig/x509.c
+@@ -47,6 +47,12 @@ const char *keyUsage_oid = "2.5.29.15";
+ */
+ const char *basicConstraints_oid = "2.5.29.19";
+
++/*
++ * RFC 5280 4.2.1.12 Extended Key Usage
++ */
++const char *extendedKeyUsage_oid = "2.5.29.37";
++const char *codeSigningUsage_oid = "1.3.6.1.5.5.7.3.3";
++
+ /*
+ * RFC 3279 2.3.1
+ *
+@@ -651,6 +657,77 @@ cleanup:
+ return err;
+ }
+
++/*
++ * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
++ *
++ * KeyPurposeId ::= OBJECT IDENTIFIER
++ */
++static grub_err_t
++verify_extended_key_usage (grub_uint8_t * value, int value_size)
++{
++ asn1_node extendedasn;
++ int result, count;
++ grub_err_t err = GRUB_ERR_NONE;
++ char usage[MAX_OID_LEN];
++ int usage_size = sizeof (usage);
++
++ result =
++ asn1_create_element (_gnutls_pkix_asn, "PKIX1.ExtKeyUsageSyntax",
++ &extendedasn);
++ if (result != ASN1_SUCCESS)
++ {
++ return grub_error (GRUB_ERR_OUT_OF_MEMORY,
++ "Could not create ASN.1 structure for Extended Key Usage");
++ }
++
++ result = asn1_der_decoding2 (&extendedasn, value, &value_size,
++ ASN1_DECODE_FLAG_STRICT_DER, asn1_error);
++ if (result != ASN1_SUCCESS)
++ {
++ err =
++ grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "Error parsing DER for Extended Key Usage: %s",
++ asn1_error);
++ goto cleanup;
++ }
++
++ /*
++ * If EKUs are present, there must be exactly 1 and it must be a
++ * codeSigning usage.
++ */
++ result = asn1_number_of_elements(extendedasn, "", &count);
++ if (result != ASN1_SUCCESS)
++ {
++ err =
++ grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "Error counting number of Extended Key Usages: %s",
++ asn1_strerror (result));
++ goto cleanup;
++ }
++
++ result = asn1_read_value (extendedasn, "?1", usage, &usage_size);
++ if (result != ASN1_SUCCESS)
++ {
++ err =
++ grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "Error reading Extended Key Usage: %s",
++ asn1_strerror (result));
++ goto cleanup;
++ }
++
++ if (grub_strncmp (codeSigningUsage_oid, usage, usage_size) != 0)
++ {
++ err =
++ grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "Unexpected Extended Key Usage OID, got: %s",
++ usage);
++ goto cleanup;
++ }
++
++cleanup:
++ asn1_delete_structure (&extendedasn);
++ return err;
++}
+
+ /*
+ * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
+@@ -674,7 +751,7 @@ verify_extensions (asn1_node cert)
+ {
+ int result;
+ int ext, num_extensions = 0;
+- int usage_present = 0, constraints_present = 0;
++ int usage_present = 0, constraints_present = 0, extended_usage_present = 0;
+ char *oid_path, *critical_path, *value_path;
+ char extnID[MAX_OID_LEN];
+ int extnID_size;
+@@ -768,6 +845,15 @@ verify_extensions (asn1_node cert)
+ }
+ constraints_present++;
+ }
++ else if (grub_strncmp (extendedKeyUsage_oid, extnID, extnID_size) == 0)
++ {
++ err = verify_extended_key_usage (value, value_size);
++ if (err != GRUB_ERR_NONE)
++ {
++ goto cleanup_value;
++ }
++ extended_usage_present++;
++ }
+ else if (grub_strncmp ("TRUE", critical, critical_size) == 0)
+ {
+ /*
+@@ -799,6 +885,12 @@ verify_extensions (asn1_node cert)
+ "Unexpected number of basic constraints extensions - expected 1, got %d",
+ constraints_present);
+ }
++ if (extended_usage_present > 1)
++ {
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "Unexpected number of Extended Key Usage extensions - expected 0 or 1, got %d",
++ extended_usage_present);
++ }
+ return GRUB_ERR_NONE;
+
+ cleanup_value:
+diff --git a/grub-core/tests/appended_signature_test.c b/grub-core/tests/appended_signature_test.c
+index 88a485200d8..dbba0616621 100644
+--- a/grub-core/tests/appended_signature_test.c
++++ b/grub-core/tests/appended_signature_test.c
+@@ -111,6 +111,22 @@ static struct grub_procfs_entry certificate_printable_der_entry = {
+ .get_contents = get_certificate_printable_der
+ };
+
++static char *
++get_certificate_eku_der (grub_size_t * sz)
++{
++ char *ret;
++ *sz = certificate_eku_der_len;
++ ret = grub_malloc (*sz);
++ if (ret)
++ grub_memcpy (ret, certificate_eku_der, *sz);
++ return ret;
++}
++
++static struct grub_procfs_entry certificate_eku_der_entry = {
++ .name = "certificate_eku.der",
++ .get_contents = get_certificate_eku_der
++};
++
+
+ static void
+ do_verify (const char *f, int is_valid)
+@@ -149,6 +165,7 @@ appended_signature_test (void)
+ char *trust_args2[] = { (char *) "(proc)/certificate2.der", NULL };
+ char *trust_args_printable[] = { (char *) "(proc)/certificate_printable.der",
+ NULL };
++ char *trust_args_eku[] = { (char *) "(proc)/certificate_eku.der", NULL };
+ char *distrust_args[] = { (char *) "1", NULL };
+ char *distrust2_args[] = { (char *) "2", NULL };
+ grub_err_t err;
+@@ -157,6 +174,7 @@ appended_signature_test (void)
+ grub_procfs_register ("certificate2.der", &certificate2_der_entry);
+ grub_procfs_register ("certificate_printable.der",
+ &certificate_printable_der_entry);
++ grub_procfs_register ("certificate_eku.der", &certificate_eku_der_entry);
+
+ cmd_trust = grub_command_find ("trust_certificate");
+ if (!cmd_trust)
+@@ -266,16 +284,23 @@ appended_signature_test (void)
+
+ /*
+ * Lastly, check a certificate that uses printableString rather than
+- * utf8String loads properly.
++ * utf8String loads properly, and that a certificate with an appropriate
++ * extended key usage loads.
+ */
+ err = (cmd_trust->func) (cmd_trust, 1, trust_args_printable);
+ grub_test_assert (err == GRUB_ERR_NONE,
+- "distrusting printable certificate failed: %d: %s",
++ "trusting printable certificate failed: %d: %s",
++ grub_errno, grub_errmsg);
++
++ err = (cmd_trust->func) (cmd_trust, 1, trust_args_eku);
++ grub_test_assert (err == GRUB_ERR_NONE,
++ "trusting certificate with extended key usage failed: %d: %s",
+ grub_errno, grub_errmsg);
+
+ grub_procfs_unregister (&certificate_der_entry);
+ grub_procfs_unregister (&certificate2_der_entry);
+ grub_procfs_unregister (&certificate_printable_der_entry);
++ grub_procfs_unregister (&certificate_eku_der_entry);
+ }
+
+ GRUB_FUNCTIONAL_TEST (appended_signature_test, appended_signature_test);
+diff --git a/grub-core/tests/appended_signatures.h b/grub-core/tests/appended_signatures.h
+index aa3dc6278e3..2e5ebd7d8bd 100644
+--- a/grub-core/tests/appended_signatures.h
++++ b/grub-core/tests/appended_signatures.h
+@@ -555,3 +555,84 @@ unsigned char certificate_printable_der[] = {
+ 0xd2
+ };
+ unsigned int certificate_printable_der_len = 829;
++
++unsigned char certificate_eku_der[] = {
++ 0x30, 0x82, 0x03, 0x90, 0x30, 0x82, 0x02, 0x78, 0xa0, 0x03, 0x02, 0x01,
++ 0x02, 0x02, 0x09, 0x00, 0xd3, 0x9c, 0x41, 0x33, 0xdd, 0x6b, 0x5f, 0x45,
++ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
++ 0x0b, 0x05, 0x00, 0x30, 0x47, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55,
++ 0x04, 0x03, 0x0c, 0x18, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20,
++ 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20,
++ 0x43, 0x41, 0x20, 0x36, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2a, 0x86,
++ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, 0x63,
++ 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74,
++ 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x32,
++ 0x31, 0x35, 0x31, 0x34, 0x30, 0x30, 0x34, 0x34, 0x5a, 0x17, 0x0d, 0x33,
++ 0x38, 0x30, 0x31, 0x31, 0x37, 0x31, 0x34, 0x30, 0x30, 0x34, 0x34, 0x5a,
++ 0x30, 0x4e, 0x31, 0x28, 0x30, 0x26, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
++ 0x1f, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63,
++ 0x75, 0x72, 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x53, 0x69, 0x67,
++ 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x36, 0x30, 0x32, 0x31, 0x22, 0x30, 0x20,
++ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16,
++ 0x13, 0x73, 0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65,
++ 0x64, 0x68, 0x61, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22,
++ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
++ 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a,
++ 0x02, 0x82, 0x01, 0x01, 0x00, 0xaa, 0x6f, 0xbb, 0x92, 0x77, 0xd7, 0x15,
++ 0xef, 0x88, 0x80, 0x88, 0xc0, 0xe7, 0x89, 0xeb, 0x35, 0x76, 0xf4, 0x85,
++ 0x05, 0x0f, 0x19, 0xe4, 0x5f, 0x25, 0xdd, 0xc1, 0xa2, 0xe5, 0x5c, 0x06,
++ 0xfb, 0xf1, 0x06, 0xb5, 0x65, 0x45, 0xcb, 0xbd, 0x19, 0x33, 0x54, 0xb5,
++ 0x1a, 0xcd, 0xe4, 0xa8, 0x35, 0x2a, 0xfe, 0x9c, 0x53, 0xf4, 0xc6, 0x76,
++ 0xdb, 0x1f, 0x8a, 0xd4, 0x7b, 0x18, 0x11, 0xaf, 0xa3, 0x90, 0xd4, 0xdd,
++ 0x4d, 0xd5, 0x42, 0xcc, 0x14, 0x9a, 0x64, 0x6b, 0xc0, 0x7f, 0xaa, 0x1c,
++ 0x94, 0x47, 0x4d, 0x79, 0xbd, 0x57, 0x9a, 0xbf, 0x99, 0x4e, 0x96, 0xa9,
++ 0x31, 0x2c, 0xa9, 0xe7, 0x14, 0x65, 0x86, 0xc8, 0xac, 0x79, 0x5e, 0x78,
++ 0xa4, 0x3c, 0x00, 0x24, 0xd3, 0xf7, 0xe1, 0xf5, 0x12, 0xad, 0xa0, 0x29,
++ 0xe5, 0xfe, 0x80, 0xae, 0xf8, 0xaa, 0x60, 0x36, 0xe7, 0xe8, 0x94, 0xcb,
++ 0xe9, 0xd1, 0xcc, 0x0b, 0x4d, 0xf7, 0xde, 0xeb, 0x52, 0xd2, 0x73, 0x09,
++ 0x28, 0xdf, 0x48, 0x99, 0x53, 0x9f, 0xc5, 0x9a, 0xd4, 0x36, 0xa3, 0xc6,
++ 0x5e, 0x8d, 0xbe, 0xd5, 0xdc, 0x76, 0xb4, 0x74, 0xb8, 0x26, 0x18, 0x27,
++ 0xfb, 0xf2, 0xfb, 0xd0, 0x9b, 0x3d, 0x7f, 0x10, 0xe2, 0xab, 0x44, 0xc7,
++ 0x88, 0x7f, 0xb4, 0x3d, 0x3e, 0xa3, 0xff, 0x6d, 0x06, 0x4b, 0x3e, 0x55,
++ 0xb2, 0x84, 0xf4, 0xad, 0x54, 0x88, 0x81, 0xc3, 0x9c, 0xf8, 0xb6, 0x68,
++ 0x96, 0x38, 0x8b, 0xcd, 0x90, 0x6d, 0x25, 0x4b, 0xbf, 0x0c, 0x44, 0x90,
++ 0xa5, 0x5b, 0x98, 0xd0, 0x40, 0x2f, 0xbb, 0x0d, 0xa8, 0x4b, 0x8a, 0x62,
++ 0x82, 0x46, 0x46, 0x18, 0x38, 0xae, 0x82, 0x07, 0xd0, 0xb4, 0x2f, 0x16,
++ 0x79, 0x55, 0x9f, 0x1b, 0xc5, 0x08, 0x6d, 0x85, 0xdf, 0x3f, 0xa9, 0x9b,
++ 0x4b, 0xc6, 0x28, 0xd3, 0x58, 0x72, 0x3d, 0x37, 0x11, 0x02, 0x03, 0x01,
++ 0x00, 0x01, 0xa3, 0x78, 0x30, 0x76, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d,
++ 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0e, 0x06, 0x03,
++ 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80,
++ 0x30, 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff, 0x04, 0x0c,
++ 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03,
++ 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x6c,
++ 0xe4, 0x6c, 0x27, 0xaa, 0xcd, 0x0d, 0x4b, 0x74, 0x21, 0xa4, 0xf6, 0x5f,
++ 0x87, 0xb5, 0x31, 0xfe, 0x10, 0xbb, 0xa7, 0x30, 0x1f, 0x06, 0x03, 0x55,
++ 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xe8, 0x6a, 0x1c, 0xab,
++ 0x2c, 0x48, 0xf9, 0x60, 0x36, 0xa2, 0xf0, 0x7b, 0x8e, 0xd2, 0x9d, 0xb4,
++ 0x2a, 0x28, 0x98, 0xc8, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
++ 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
++ 0x55, 0x34, 0xe2, 0xfa, 0xf6, 0x89, 0x86, 0xad, 0x92, 0x21, 0xec, 0xb9,
++ 0x54, 0x0e, 0x18, 0x47, 0x0d, 0x1b, 0xa7, 0x58, 0xad, 0x69, 0xe4, 0xef,
++ 0x3b, 0xe6, 0x8d, 0xdd, 0xda, 0x0c, 0x45, 0xf6, 0xe8, 0x96, 0xa4, 0x29,
++ 0x0f, 0xbb, 0xcf, 0x16, 0xae, 0x93, 0xd0, 0xcb, 0x2a, 0x26, 0x1a, 0x7b,
++ 0xfc, 0x51, 0x22, 0x76, 0x98, 0x31, 0xa7, 0x0f, 0x29, 0x35, 0x79, 0xbf,
++ 0xe2, 0x4f, 0x0f, 0x14, 0xf5, 0x1f, 0xcb, 0xbf, 0x87, 0x65, 0x13, 0x32,
++ 0xa3, 0x19, 0x4a, 0xd1, 0x3f, 0x45, 0xd4, 0x4b, 0xe2, 0x00, 0x26, 0xa9,
++ 0x3e, 0xd7, 0xa5, 0x37, 0x9f, 0xf5, 0xad, 0x61, 0xe2, 0x40, 0xa9, 0x74,
++ 0x24, 0x53, 0xf2, 0x78, 0xeb, 0x10, 0x9b, 0x2c, 0x27, 0x88, 0x46, 0xcb,
++ 0xe4, 0x60, 0xca, 0xf5, 0x06, 0x24, 0x40, 0x2a, 0x97, 0x3a, 0xcc, 0xd0,
++ 0x81, 0xb1, 0x15, 0xa3, 0x4f, 0xd0, 0x2b, 0x4f, 0xca, 0x6e, 0xaa, 0x24,
++ 0x31, 0xb3, 0xac, 0xa6, 0x75, 0x05, 0xfe, 0x8a, 0xf4, 0x41, 0xc4, 0x06,
++ 0x8a, 0xc7, 0x0a, 0x83, 0x4e, 0x49, 0xd4, 0x3f, 0x83, 0x50, 0xec, 0x57,
++ 0x04, 0x97, 0x14, 0x49, 0xf5, 0xe1, 0xb1, 0x7a, 0x9c, 0x09, 0x4f, 0x61,
++ 0x87, 0xc3, 0x97, 0x22, 0x17, 0xc2, 0xeb, 0xcc, 0x32, 0x81, 0x31, 0x21,
++ 0x3f, 0x10, 0x57, 0x5b, 0x43, 0xbe, 0xcd, 0x68, 0x82, 0xbe, 0xe5, 0xc1,
++ 0x65, 0x94, 0x7e, 0xc2, 0x34, 0x76, 0x2b, 0xcf, 0x89, 0x3c, 0x2b, 0x81,
++ 0x23, 0x72, 0x95, 0xcf, 0xc9, 0x67, 0x19, 0x2a, 0xd5, 0x5c, 0xca, 0xa3,
++ 0x46, 0xbd, 0x48, 0x06, 0x0b, 0xa6, 0xa3, 0x96, 0x50, 0x28, 0xc7, 0x7e,
++ 0xcf, 0x62, 0xf2, 0xfa, 0xc4, 0xf2, 0x53, 0xe3, 0xc9, 0xe8, 0x2e, 0xdd,
++ 0x29, 0x37, 0x07, 0x47, 0xff, 0xff, 0x8a, 0x32, 0xbd, 0xa2, 0xb7, 0x21,
++ 0x89, 0xa0, 0x55, 0xf7
++};
++unsigned int certificate_eku_der_len = 916;
diff --git a/SOURCES/0481-ieee1275-ofdisk-retry-on-open-failure.patch b/SOURCES/0485-ieee1275-ofdisk-retry-on-open-failure.patch
similarity index 100%
rename from SOURCES/0481-ieee1275-ofdisk-retry-on-open-failure.patch
rename to SOURCES/0485-ieee1275-ofdisk-retry-on-open-failure.patch
diff --git a/SOURCES/0486-normal-main-Discover-the-device-to-read-the-config-f.patch b/SOURCES/0486-normal-main-Discover-the-device-to-read-the-config-f.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0395ae5adbf8d3bd5beed9d046d509e4125b57e2
--- /dev/null
+++ b/SOURCES/0486-normal-main-Discover-the-device-to-read-the-config-f.patch
@@ -0,0 +1,123 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Thu, 8 Jul 2021 16:39:39 +0200
+Subject: [PATCH] normal/main: Discover the device to read the config from as a
+ fallback
+
+The GRUB core.img is generated locally, when this is done the grub2-probe
+tool figures out the device and partition that needs to be read to parse
+the GRUB configuration file.
+
+But in some cases the core.img can't be generated on the host and instead
+has to be done at package build time. For example, if needs to get signed
+with a key that's only available on the package building infrastructure.
+
+If that's the case, the prefix variable won't have a device and partition
+but only a directory path. So there's no way for GRUB to know from which
+device has to read the configuration file.
+
+To allow GRUB to continue working on that scenario, fallback to iterating
+over all the available devices, if reading the config failed when using
+the prefix and fw_path variables.
+
+Related: rhbz#1899864
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ grub-core/normal/main.c | 58 +++++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 51 insertions(+), 7 deletions(-)
+
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index 49141039f8f..93f33c16732 100644
+--- a/grub-core/normal/main.c
++++ b/grub-core/normal/main.c
+@@ -333,16 +333,11 @@ grub_enter_normal_mode (const char *config)
+ }
+
+ static grub_err_t
+-grub_try_normal (const char *variable)
++grub_try_normal_prefix (const char *prefix)
+ {
+ char *config;
+- const char *prefix;
+ grub_err_t err = GRUB_ERR_FILE_NOT_FOUND;
+
+- prefix = grub_env_get (variable);
+- if (!prefix)
+- return GRUB_ERR_FILE_NOT_FOUND;
+-
+ if (grub_strncmp (prefix + 1, "tftp", sizeof ("tftp") - 1) == 0)
+ {
+ grub_size_t config_len;
+@@ -351,7 +346,7 @@ grub_try_normal (const char *variable)
+ config = grub_malloc (config_len);
+
+ if (! config)
+- return GRUB_ERR_FILE_NOT_FOUND;
++ return err;
+
+ grub_snprintf (config, config_len, "%s/grub.cfg", prefix);
+ err = grub_net_search_configfile (config);
+@@ -380,6 +375,53 @@ grub_try_normal (const char *variable)
+ return err;
+ }
+
++static int
++grub_try_normal_dev (const char *name, void *data)
++{
++ grub_err_t err;
++ const char *prefix = grub_xasprintf ("(%s)%s", name, (char *)data);
++
++ if (!prefix)
++ return 0;
++
++ err = grub_try_normal_prefix (prefix);
++ if (err == GRUB_ERR_NONE)
++ return 1;
++
++ return 0;
++}
++
++static grub_err_t
++grub_try_normal_discover (void)
++{
++ char *prefix = grub_env_get ("prefix");
++ grub_err_t err = GRUB_ERR_FILE_NOT_FOUND;
++
++ if (!prefix)
++ return err;
++
++ if (grub_device_iterate (grub_try_normal_dev, (void *)prefix))
++ return GRUB_ERR_NONE;
++
++ return err;
++}
++
++static grub_err_t
++grub_try_normal (const char *variable)
++{
++ grub_err_t err = GRUB_ERR_FILE_NOT_FOUND;
++ const char *prefix;
++
++ if (!variable)
++ return err;
++
++ prefix = grub_env_get (variable);
++ if (!prefix)
++ return err;
++
++ return grub_try_normal_prefix (prefix);
++}
++
+ /* Enter normal mode from rescue mode. */
+ static grub_err_t
+ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
+@@ -394,6 +436,8 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
+ err = grub_try_normal ("fw_path");
+ if (err == GRUB_ERR_FILE_NOT_FOUND)
+ err = grub_try_normal ("prefix");
++ if (err == GRUB_ERR_FILE_NOT_FOUND)
++ err = grub_try_normal_discover ();
+ if (err == GRUB_ERR_FILE_NOT_FOUND)
+ grub_enter_normal_mode (0);
+ }
diff --git a/SOURCES/0487-powerpc-adjust-setting-of-prefix-for-signed-binary-c.patch b/SOURCES/0487-powerpc-adjust-setting-of-prefix-for-signed-binary-c.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a1092c5fb4f723f4959a2f8a0d056faeb1030021
--- /dev/null
+++ b/SOURCES/0487-powerpc-adjust-setting-of-prefix-for-signed-binary-c.patch
@@ -0,0 +1,75 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 19 Jul 2021 14:35:55 +1000
+Subject: [PATCH] powerpc: adjust setting of prefix for signed binary case
+
+On RHEL-signed powerpc grub, we sign a grub with -p /grub2 and expect
+that there's a boot partition.
+
+Unfortunately grub_set_prefix_and_root tries to convert this to
+($fwdevice)/grub2. This ends up being (ieee1275/disk)/grub2 and that
+falls apart pretty quickly - there's no file-system on ieee1275/disk,
+and it makes the search routine try things like
+(ieee1275/disk,msdos2)(ieee1275/disk)/grub2 which also doesn't work.
+
+Detect if we would be about to create (ieee1275/disk)/path and don't:
+preserve a prefix of /path instead and hope the search later finds us.
+
+Related: rhbz#1899864
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+---
+ grub-core/kern/main.c | 38 +++++++++++++++++++++++++++++++++-----
+ 1 file changed, 33 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
+index 9bf6a8b231a..25dbcfef1f6 100644
+--- a/grub-core/kern/main.c
++++ b/grub-core/kern/main.c
+@@ -215,13 +215,41 @@ grub_set_prefix_and_root (void)
+ if (device)
+ {
+ char *prefix_set;
+-
+- prefix_set = grub_xasprintf ("(%s)%s", device, path ? : "");
+- if (prefix_set)
++
++#ifdef __powerpc__
++ /* We have to be careful here on powerpc-ieee1275 + signed grub. We
++ will have signed something with a prefix that doesn't have a device
++ because we cannot know in advance what partition we're on.
++
++ We will have had !device earlier, so we will have set device=fwdevice
++ However, we want to make sure we do not end up setting prefix to be
++ ($fwdevice)/path, because we will then end up trying to boot or search
++ based on a prefix of (ieee1275/disk)/path, which will not work because
++ it's missing a partition.
++
++ Also:
++ - You can end up with a device with an FS directly on it, without
++ a partition, e.g. ieee1275/cdrom.
++
++ - powerpc-ieee1275 + grub-install sets e.g. prefix=(,gpt2)/path,
++ which will have now been extended to device=$fwdisk,partition
++ and path=/path
++
++ So we only need to act if device = ieee1275/disk exactly.
++ */
++ if (grub_strncmp (device, "ieee1275/disk", 14) == 0)
++ grub_env_set ("prefix", path);
++ else
++#endif
+ {
+- grub_env_set ("prefix", prefix_set);
+- grub_free (prefix_set);
++ prefix_set = grub_xasprintf ("(%s)%s", device, path ? : "");
++ if (prefix_set)
++ {
++ grub_env_set ("prefix", prefix_set);
++ grub_free (prefix_set);
++ }
+ }
++
+ grub_env_set ("root", device);
+ }
+
diff --git a/SOURCES/0488-powerpc-fix-prefix-signed-grub-special-case-for-Powe.patch b/SOURCES/0488-powerpc-fix-prefix-signed-grub-special-case-for-Powe.patch
new file mode 100644
index 0000000000000000000000000000000000000000..415c702c3b612f119647190213b2cb33a3e6a81e
--- /dev/null
+++ b/SOURCES/0488-powerpc-fix-prefix-signed-grub-special-case-for-Powe.patch
@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 16 Aug 2021 16:01:47 +1000
+Subject: [PATCH] powerpc: fix prefix + signed grub special case for PowerVM
+
+Mea culpa: when testing the PowerPC special case for signed grub, I
+assumed qemu and PowerVM would behave identically. This was wrong, and
+with hindsight a pretty dumb error.
+
+This fixes it. This time, I am actually testing on PowerVM.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+---
+ grub-core/kern/main.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
+index 25dbcfef1f6..40a709117f1 100644
+--- a/grub-core/kern/main.c
++++ b/grub-core/kern/main.c
+@@ -235,9 +235,20 @@ grub_set_prefix_and_root (void)
+ which will have now been extended to device=$fwdisk,partition
+ and path=/path
+
+- So we only need to act if device = ieee1275/disk exactly.
++ - PowerVM will give us device names like
++ ieee1275//vdevice/v-scsi@3000006c/disk@8100000000000000
++ and we don't want to try to encode some sort of truth table about
++ what sorts of paths represent disks with partition tables and those
++ without partition tables.
++
++ So we act unless there is a comma in the device, which would indicate
++ a partition has already been specified.
++
++ (If we only have a path, the code in normal to discover config files
++ will try both without partitions and then with any partitions so we
++ will cover both CDs and HDs.)
+ */
+- if (grub_strncmp (device, "ieee1275/disk", 14) == 0)
++ if (grub_strchr (device, ',') == NULL)
+ grub_env_set ("prefix", path);
+ else
+ #endif
diff --git a/SOURCES/20-grub.install b/SOURCES/20-grub.install
index 3238e430c38507c860100b03d426fac30e50d701..9b74538c576daefc20ae2fc5209ba49c78c87add 100755
--- a/SOURCES/20-grub.install
+++ b/SOURCES/20-grub.install
@@ -75,6 +75,14 @@ case "$COMMAND" in
command -v restorecon &>/dev/null && \
restorecon "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac"
fi
+ # symvers is symvers-<version>.gz symlink, needs a special treatment
+ i="$KERNEL_DIR/symvers.gz"
+ if [[ -e "$i" ]]; then
+ rm -f "/boot/symvers-${KERNEL_VERSION}.gz"
+ ln -s "$i" "/boot/symvers-${KERNEL_VERSION}.gz"
+ command -v restorecon &>/dev/null && \
+ restorecon "/boot/symvers-${KERNEL_VERSION}.gz"
+ fi
fi
if [[ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]] || [[ ! -f /sbin/new-kernel-pkg ]]; then
@@ -154,6 +162,8 @@ case "$COMMAND" in
done
# hmac is .vmlinuz-<version>.hmac so needs a special treatment
rm -f "/boot/.vmlinuz-${KERNEL_VERSION}.hmac"
+ # symvers is symvers-<version>.gz symlink, needs a special treatment
+ rm -f "/boot/symvers-${KERNEL_VERSION}.gz"
exit 0
fi
diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der
deleted file mode 100644
index 44a2563dee3f8eeecd5026306be46d2a8d89970d..0000000000000000000000000000000000000000
Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ
diff --git a/SOURCES/centossecureboot001.der b/SOURCES/centossecureboot001.der
deleted file mode 100644
index e8216b1db725cd132b515a277368fc89a9d8fa3d..0000000000000000000000000000000000000000
Binary files a/SOURCES/centossecureboot001.der and /dev/null differ
diff --git a/SOURCES/centossecureboot202.der b/SOURCES/centossecureboot202.der
deleted file mode 100644
index ab8213c1769acb23cafb4e8a9dc5162b6e6186cd..0000000000000000000000000000000000000000
Binary files a/SOURCES/centossecureboot202.der and /dev/null differ
diff --git a/SOURCES/centossecurebootca2.der b/SOURCES/centossecurebootca2.der
deleted file mode 100644
index 42bdfcfbcda649796099fdc87bbe9dc58e2348d5..0000000000000000000000000000000000000000
Binary files a/SOURCES/centossecurebootca2.der and /dev/null differ
diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros
index 98ad11adbfc24f17f0e63a275a002d55e9b5d43a..2eb014aa829e51d90022736611c257a7d52ea468 100644
--- a/SOURCES/grub.macros
+++ b/SOURCES/grub.macros
@@ -71,6 +71,7 @@
%global with_legacy_arch 0
%global grubefiarch %{nil}
%global grublegacyarch %{nil}
+%global grubelfname %{nil}
# sparc is always compiled 64 bit
%ifarch %{sparc}
@@ -108,13 +109,24 @@
%{!?with_efi_only:%global without_efi_only 0}
%{?with_efi_only:%global without_efi_only 1}
-### fixme
+
+%ifarch %{efi_arch}
+%global efi_modules " efi_netfs efifwsetup efinet lsefi lsefimmap "
+%endif
+
+%ifarch x86_64 %{ix86}
+%global platform_modules " backtrace chain usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard "
+%endif
+
+%ifarch ppc64le
+%global platform_modules " appendedsig "
+%endif
+
%ifarch aarch64 %{arm}
%global platform_modules " "
-%else
-%global platform_modules " backtrace chain usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard "
%endif
+
%ifarch aarch64 %{arm}
%global legacy_provides -l
%endif
@@ -203,6 +215,7 @@
%global with_legacy_arch 1
%global grublegacyarch %{legacy_target_cpu_name}-%{platform}
%global moduledir %{legacy_target_cpu_name}-%{platform}
+%global grubelfname core.elf
%endif
%global evr %{epoch}:%{version}-%{release}
@@ -366,45 +379,85 @@ for x in grub-mkimage ; do \\\
done \
%{nil}
+%global grub_modules " all_video boot blscfg btrfs \\\
+ cat configfile cryptodisk echo ext2 \\\
+ fat font gcry_rijndael gcry_rsa gcry_serpent \\\
+ gcry_sha256 gcry_twofish gcry_whirlpool \\\
+ gfxmenu gfxterm gzio halt hfsplus http \\\
+ increment iso9660 jpeg loadenv loopback linux \\\
+ lvm luks mdraid09 mdraid1x minicmd net \\\
+ normal part_apple part_msdos part_gpt \\\
+ password_pbkdf2 png reboot regexp search \\\
+ search_fs_uuid search_fs_file search_label \\\
+ serial sleep syslinuxcfg test tftp video xfs" \
+
%ifarch x86_64 aarch64 %{arm}
-%define mkimage() \
+%define efi_mkimage() \
%{4}./grub-mkimage -O %{1} -o %{2}.orig \\\
- -p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES} \\\
- --sbat %{4}./sbat.csv \
+ -p /EFI/%{efi_vendor} -d grub-core \\\
+ --sbat %{4}./sbat.csv \\\
+ ${GRUB_MODULES} \
%{4}./grub-mkimage -O %{1} -o %{3}.orig \\\
- -p /EFI/BOOT -d grub-core ${GRUB_MODULES} \\\
- --sbat %{4}./sbat.csv \
+ -p /EFI/BOOT -d grub-core \\\
+ --sbat %{4}./sbat.csv \\\
+ ${GRUB_MODULES} \
%{expand:%%{pesign -s -i %%{2}.orig -o %%{2}.one -a %%{5} -c %%{6} -n %%{7}}} \
%{expand:%%{pesign -s -i %%{3}.orig -o %%{3}.one -a %%{5} -c %%{6} -n %%{7}}} \
%{expand:%%{pesign -s -i %%{2}.one -o %%{2} -a %%{8} -c %%{9} -n %%{10}}} \
%{expand:%%{pesign -s -i %%{3}.one -o %%{3} -a %%{8} -c %%{9} -n %%{10}}} \
%{nil}
%else
-%define mkimage() \
+%define efi_mkimage() \
%{4}./grub-mkimage -O %{1} -o %{2} \\\
- -p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES} \
+ -p /EFI/%{efi_vendor} -d grub-core \\\
+ ${GRUB_MODULES} \
%{4}./grub-mkimage -O %{1} -o %{3} \\\
- -p /EFI/BOOT -d grub-core ${GRUB_MODULES} \
+ -p /EFI/BOOT -d grub-core \\\
+ ${GRUB_MODULES} \
+%{nil}
+%endif
+
+%ifarch ppc64le
+%define ieee1275_mkimage() \
+APPENDED_SIG_SIZE=0 \
+if [ -x /usr/bin/rpm-sign ]; then \
+ touch empty.unsigned \
+ rpm-sign --key %{5} \\\
+ --lkmsign empty.unsigned \\\
+ --output empty.signed \
+ APPENDED_SIG_SIZE="$(stat -c '%s' empty.signed)" \
+ rm empty.{un,}signed \
+fi \
+# FIXME: using this prefix is fragile, must be done properly \
+./grub-mkimage -O %{1} -o %{2}.orig \\\
+ -p '/grub2' -d grub-core \\\
+ -x %{3} -x %{4} \\\
+ --appended-signature-size ${APPENDED_SIG_SIZE} \\\
+ ${GRUB_MODULES} \
+if [ -x /usr/bin/rpm-sign ]; then \
+ truncate -s -${APPENDED_SIG_SIZE} %{2}.orig \
+ rpm-sign --key %{5} \\\
+ --lkmsign %{2}.orig \\\
+ --output %{2} \
+else \
+ mv %{2}.orig %{2} \
+fi \
%{nil}
%endif
%define do_efi_build_images() \
-GRUB_MODULES=" all_video boot blscfg btrfs \\\
- cat configfile cryptodisk \\\
- echo efi_netfs efifwsetup efinet ext2 \\\
- fat font gcry_rijndael gcry_rsa gcry_serpent \\\
- gcry_sha256 gcry_twofish gcry_whirlpool \\\
- gfxmenu gfxterm gzio \\\
- halt hfsplus http increment iso9660 jpeg \\\
- loadenv loopback linux lvm lsefi lsefimmap luks \\\
- mdraid09 mdraid1x minicmd net \\\
- normal part_apple part_msdos part_gpt \\\
- password_pbkdf2 png reboot \\\
- regexp search search_fs_uuid search_fs_file \\\
- search_label serial sleep syslinuxcfg test tftp \\\
- video xfs" \
+GRUB_MODULES+=%{grub_modules} \
+GRUB_MODULES+=%{efi_modules} \
GRUB_MODULES+=%{platform_modules} \
-%{expand:%%{mkimage %{1} %{2} %{3} %{4} %{5} %{6} %{7} %{8} %{9} %{10}}} \
+%{expand:%%{efi_mkimage %{1} %{2} %{3} %{4} %{5} %{6} %{7} %{8} %{9} %{10}}} \
+%{nil}
+
+%define do_ieee1275_build_images() \
+GRUB_MODULES+=%{grub_modules} \
+GRUB_MODULES+=%{platform_modules} \
+cd grub-%{1}-%{tarversion} \
+%{expand:%%ieee1275_mkimage %%{1} %%{2} %%{3} %%{4} %%{5}} \
+cd .. \
%{nil}
%define do_primary_efi_build() \
@@ -501,6 +554,9 @@ fi \
if [ -f $RPM_BUILD_ROOT%{_infodir}/grub-dev.info ]; then \
rm -f $RPM_BUILD_ROOT%{_infodir}/grub-dev.info \
fi \
+%{expand:%ifarch ppc64le \
+ install -m 700 %{grubelfname} $RPM_BUILD_ROOT/%{_libdir}/grub/%{1} \
+%endif} \
ln -s ../boot/%{name}/grub.cfg \\\
${RPM_BUILD_ROOT}%{_sysconfdir}/grub2.cfg \
if [ -f $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/grub2.chrp ]; then \
@@ -542,12 +598,19 @@ touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg \
%config(noreplace) %{_sysconfdir}/%{name}.cfg \
%ghost %config(noreplace) /boot/%{name}/grub.cfg \
%dir %attr(0700,root,root)/boot/loader/entries \
+%ifarch ppc64le \
+%dir %{_libdir}/grub/%{2}/ \
+%{_libdir}/grub/%{2}/%{grubelfname} \
+%endif \
\
%{expand:%if 0%{?with_legacy_modules} \
%{expand:%%files %{1}-modules} \
%defattr(-,root,root) \
%dir %{_libdir}/grub/%{2}/ \
%{_libdir}/grub/%{2}/* \
+%ifarch ppc64le \
+%exclude %{_libdir}/grub/%{2}/%{grubelfname} \
+%endif \
%exclude %{_libdir}/grub/%{2}/*.module \
%exclude %{_libdir}/grub/%{2}/{boot,boot_hybrid,cdboot,diskboot,lzma_decompress,pxeboot}.image \
%exclude %{_libdir}/grub/%{2}/*.o \
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index b6850138a2c40c949d3e2e3d4ee28800407d24fa..ad83e09d4e5629d61f3fe4a64f2d4d6bb6f9495b 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -478,4 +478,11 @@ Patch0477: 0477-kern-misc-Add-function-to-check-printf-format-agains.patch
Patch0478: 0478-gfxmenu-gui-Check-printf-format-in-the-gui_progress_.patch
Patch0479: 0479-kern-mm-Fix-grub_debug_calloc-compilation-error.patch
Patch0480: 0480-efi-net-Fix-malformed-device-path-arithmetic-errors-.patch
-Patch0481: 0481-ieee1275-ofdisk-retry-on-open-failure.patch
+Patch0481: 0481-ieee1275-drop-HEAP_MAX_ADDR-HEAP_MIN_SIZE.patch
+Patch0482: 0482-ieee1275-claim-more-memory.patch
+Patch0483: 0483-ieee1275-request-memory-with-ibm-client-architecture.patch
+Patch0484: 0484-appendedsig-x509-Also-handle-the-Extended-Key-Usage-.patch
+Patch0485: 0485-ieee1275-ofdisk-retry-on-open-failure.patch
+Patch0486: 0486-normal-main-Discover-the-device-to-read-the-config-f.patch
+Patch0487: 0487-powerpc-adjust-setting-of-prefix-for-signed-binary-c.patch
+Patch0488: 0488-powerpc-fix-prefix-signed-grub-special-case-for-Powe.patch
diff --git a/SOURCES/redhatsecureboot303.cer b/SOURCES/redhatsecureboot303.cer
new file mode 100644
index 0000000000000000000000000000000000000000..2c0087dbc5da376aef641bb23833401857c34940
Binary files /dev/null and b/SOURCES/redhatsecureboot303.cer differ
diff --git a/SOURCES/redhatsecureboot601.cer b/SOURCES/redhatsecureboot601.cer
new file mode 100644
index 0000000000000000000000000000000000000000..c92b96b4e0d360b90333361ea61f565f196ea20e
Binary files /dev/null and b/SOURCES/redhatsecureboot601.cer differ
diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
index 3e2f77eb57fcee2bcdd3b660720a1018a3f4273c..1a88aa6e21d74140d595f356c7b850806b450523 100644
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -7,7 +7,7 @@
Name: grub2
Epoch: 1
Version: 2.02
-Release: 99%{?dist}.1
+Release: 106%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more
Group: System Environment/Base
License: GPLv3+
@@ -24,14 +24,31 @@ Source6: gitignore
Source8: strtoull_test.c
Source9: 20-grub.install
Source12: 99-grub-mkconfig.install
-Source13: centos-ca-secureboot.der
-Source14: centossecureboot001.der
-Source15: centossecurebootca2.der
-Source16: centossecureboot202.der
-Source17: sbat.csv.in
+Source13: redhatsecurebootca3.cer
+Source14: redhatsecureboot301.cer
+Source15: redhatsecurebootca5.cer
+Source16: redhatsecureboot502.cer
+Source17: redhatsecureboot303.cer
+Source18: redhatsecureboot601.cer
+Source19: sbat.csv.in
%include %{SOURCE1}
+%if 0%{with_efi_arch}
+%define old_sb_ca %{SOURCE13}
+%define old_sb_cer %{SOURCE14}
+%define old_sb_key redhatsecureboot301
+%define sb_ca %{SOURCE15}
+%define sb_cer %{SOURCE16}
+%define sb_key redhatsecureboot502
+%endif
+
+%ifarch ppc64le
+%define old_sb_cer %{SOURCE17}
+%define sb_cer %{SOURCE18}
+%define sb_key redhatsecureboot602
+%endif
+
# generate with do-rebase
%include %{SOURCE2}
@@ -55,11 +72,7 @@ BuildRequires: pesign >= 0.99-8
BuildRequires: ccache
%endif
-%if 0%{?centos}
-%global efidir centos
-%endif
-
-ExcludeArch: s390 s390x
+ExcludeArch: s390 s390x %{arm}
Obsoletes: %{name} <= %{evr}
%if 0%{with_legacy_arch}
@@ -153,7 +166,7 @@ This subpackage provides tools for support of all platforms.
mkdir grub-%{grubefiarch}-%{tarversion}
grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grubefiarch}-%{tarversion}/.gitignore
cp %{SOURCE4} grub-%{grubefiarch}-%{tarversion}/unifont.pcf.gz
-sed -e "s,@@VERSION@@,%{evr},g" %{SOURCE17} \
+sed -e "s,@@VERSION@@,%{evr},g" %{SOURCE19} \
> grub-%{grubefiarch}-%{tarversion}/sbat.csv
git add grub-%{grubefiarch}-%{tarversion}
%endif
@@ -173,14 +186,17 @@ git commit -m "After making subdirs"
%build
%if 0%{with_efi_arch}
-%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001 %{SOURCE15} %{SOURCE16} centossecureboot202}
+%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{old_sb_ca} %{old_sb_cer} %{old_sb_key} %{sb_ca} %{sb_cer} %{sb_key}}
%endif
%if 0%{with_alt_efi_arch}
-%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001 %{SOURCE15} %{SOURCE16} centossecureboot202}
+%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{old_sb_ca} %{old_sb_cer} %{old_sb_key} %{sb_ca} %{sb_cer} %{sb_key}}
%endif
%if 0%{with_legacy_arch}
%{expand:%do_legacy_build %%{grublegacyarch}}
%endif
+%ifarch ppc64le
+%{expand:%do_ieee1275_build_images %%{grublegacyarch} %{grubelfname} %{old_sb_cer} %{sb_cer} %{sb_key}}
+%endif
makeinfo --info --no-split -I docs -o docs/grub-dev.info \
docs/grub-dev.texi
makeinfo --info --no-split -I docs -o docs/grub.info \
@@ -507,12 +523,33 @@ fi
%endif
%changelog
-* Tue Sep 21 2021 CentOS Sources <bugs@centos.org> - 2.02-99.el8.centos.1
-- Apply debranding changes
+* Thu Aug 19 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-106
+- Fix device discoverability on PowerVM when the prefix is not set (dja)
+ Related: rhbz#1899864
-* Mon May 17 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-99.el8_4.1
+* Thu Jul 22 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-105
+- Discover the device to read the config from as a fallback
+ Related: rhbz#1899864
+
+* Mon Jun 21 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-104
+- 20-grub-install: Create a symvers.gz symbolic link
+ Resolves: rhbz#1919125
+
+* Mon May 17 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-103
- Fix boot failures in ppc64le caused by storage race condition (diegodo)
- Resolves: rhbz#1961265
+ Resolves: rhbz#1942152
+
+* Tue May 11 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-102
+- Build and sign powerpc-ieee1275 images
+ Related: rhbz#1899864
+
+* Fri Apr 23 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-101
+- Find and claim more memory for ieee1275 (dja)
+ Related: rhbz#1853410
+
+* Fri Apr 23 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-100
+- Sync with the latest content of the rhel-8.4.0 branch
+ Resolves: rhbz#1952840
* Thu Feb 25 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-99
- Fix bug of grub2-install not checking for the SBAT option
@@ -536,13 +573,10 @@ fi
* Tue Feb 23 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-97
- Fix keylayouts module listed twice in GRUB_MODULES variable
- Related: rhbz#1897587
* Tue Feb 23 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-96
- Fix "Add 'at_keyboard_fallback_set' var to force the set manually"
- Related: rhbz#1897587
- Fix a boot failure due patch "ieee1275: claim up to 256MB memory"
- Resolves: rhbz#1929111
* Tue Jan 26 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.02-95
- Add appended signatures support for ppc64le LPAR Secure Boot (daxtens)