diff --git a/SOURCES/0259-HTTP-boot-strncmp-returns-0-on-equal.patch b/SOURCES/0259-HTTP-boot-strncmp-returns-0-on-equal.patch
new file mode 100644
index 0000000000000000000000000000000000000000..e3edefb9b45f186bbe3fe3efb68af2b543d0c592
--- /dev/null
+++ b/SOURCES/0259-HTTP-boot-strncmp-returns-0-on-equal.patch
@@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stephen Benjamin <stephen@redhat.com>
+Date: Fri, 12 Apr 2019 10:43:13 -0400
+Subject: [PATCH] HTTP boot: strncmp returns 0 on equal
+
+Resolves: rhbz#1490991
+---
+ grub-core/net/efi/http.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/net/efi/http.c b/grub-core/net/efi/http.c
+index 2a9624dacc4..484e0c68cee 100644
+--- a/grub-core/net/efi/http.c
++++ b/grub-core/net/efi/http.c
+@@ -19,7 +19,7 @@ http_configure (struct grub_efi_net_device *dev, int prefer_ip6)
+ const char *rest, *http_server, *http_path = NULL;
+
+ http_server = grub_env_get ("root");
+- https = grub_strncmp (http_server, "https", 5) ? 1 : 0;
++ https = (grub_strncmp (http_server, "https", 5) == 0) ? 1 : 0;
+
+ /* extract http server + port */
+ if (http_server)
diff --git a/SOURCES/0260-Don-t-duplicate-net-name-string-if-not-needed.patch b/SOURCES/0260-Don-t-duplicate-net-name-string-if-not-needed.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f890e90d016f959faf2b1b829f0891d2c066acb3
--- /dev/null
+++ b/SOURCES/0260-Don-t-duplicate-net-name-string-if-not-needed.patch
@@ -0,0 +1,53 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Thu, 25 Apr 2019 17:50:23 +0200
+Subject: [PATCH] Don't duplicate net->name string if not needed
+
+Related: rhbz#1490991
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ grub-core/net/efi/http.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/grub-core/net/efi/http.c b/grub-core/net/efi/http.c
+index 484e0c68cee..de351b2cd03 100644
+--- a/grub-core/net/efi/http.c
++++ b/grub-core/net/efi/http.c
+@@ -394,27 +394,27 @@ grub_efihttp_open (struct grub_efi_net_device *dev,
+ grub_err_t err;
+ grub_off_t size;
+ char *buf;
+- char *file_name;
++ char *file_name = NULL;
+ const char *http_path;
+
+ /* If path is relative, prepend http_path */
+ http_path = grub_env_get ("http_path");
+- if (http_path && file->device->net->name[0] != '/')
++ if (http_path && file->device->net->name[0] != '/') {
+ file_name = grub_xasprintf ("%s/%s", http_path, file->device->net->name);
+- else
+- file_name = grub_strdup (file->device->net->name);
++ if (!file_name)
++ return grub_errno;
++ }
+
+- if (!file_name)
+- return grub_errno;
+-
+- err = efihttp_request (dev->http, file->device->net->server, file_name, type, 1, 0);
++ err = efihttp_request (dev->http, file->device->net->server,
++ file_name ? file_name : file->device->net->name, type, 1, 0);
+ if (err != GRUB_ERR_NONE)
+ {
+ grub_free (file_name);
+ return err;
+ }
+
+- err = efihttp_request (dev->http, file->device->net->server, file_name, type, 0, &size);
++ err = efihttp_request (dev->http, file->device->net->server,
++ file_name ? file_name : file->device->net->name, type, 0, &size);
+ grub_free (file_name);
+ if (err != GRUB_ERR_NONE)
+ {
diff --git a/SOURCES/0261-Try-to-set-fPIE-and-friends-on-libgnu.a.patch b/SOURCES/0261-Try-to-set-fPIE-and-friends-on-libgnu.a.patch
new file mode 100644
index 0000000000000000000000000000000000000000..17f5179be6f0fce2c6f74ea65d4357cc95b55e09
--- /dev/null
+++ b/SOURCES/0261-Try-to-set-fPIE-and-friends-on-libgnu.a.patch
@@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 15 Jan 2019 14:57:25 -0500
+Subject: [PATCH] Try to set -fPIE and friends on libgnu.a
+
+In order to make sure UTIL_CFLAGS and UTIL_LDFLAGS can correctly get
+-Wl,-z,relro,-z,now , we need everything going in them to be built with at
+least -fPIC (and preferably -fPIE) wherever we can, or else we get relocations
+in some component object that can't be used with the link type that's being
+used for the final ELF object.
+
+So this makes sure libgnu.a gets built with HOST_CFLAGS and HOST_LDFLAGS,
+which are what is later used to define UTIL_CFLAGS and UTIL_LDFLAGS, and
+includes -fPIE.
+
+Fixes an rpmdiff check.
+
+Related: rhbz#1658500
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ grub-core/gnulib/Makefile.am | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/gnulib/Makefile.am b/grub-core/gnulib/Makefile.am
+index b7c5e60e1c3..bd3621930ff 100644
+--- a/grub-core/gnulib/Makefile.am
++++ b/grub-core/gnulib/Makefile.am
+@@ -38,8 +38,8 @@ CLEANFILES =
+ DISTCLEANFILES =
+ MAINTAINERCLEANFILES =
+
+-AM_CPPFLAGS =
+-AM_CFLAGS =
++AM_CPPFLAGS = $(HOST_CPPFLAGS)
++AM_CFLAGS = $(HOST_CFLAGS)
+
+ noinst_LIBRARIES += libgnu.a
+
diff --git a/SOURCES/0262-blscfg-fallback-to-default_kernelopts-if-BLS-option-.patch b/SOURCES/0262-blscfg-fallback-to-default_kernelopts-if-BLS-option-.patch
new file mode 100644
index 0000000000000000000000000000000000000000..13e589f0479618a2eb6582464b0c3fa0a64e1597
--- /dev/null
+++ b/SOURCES/0262-blscfg-fallback-to-default_kernelopts-if-BLS-option-.patch
@@ -0,0 +1,60 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue, 26 Feb 2019 20:11:27 +0100
+Subject: [PATCH] blscfg: fallback to default_kernelopts if BLS option field
+ isn't set
+
+If the $kernelopts variable isn't found, then the entry will fail to boot
+since there won't be a kernel command line params set. This makes the BLS
+configuration more fragile than a non-BLS one, since in that case it will
+boot even without a correct grubenv file.
+
+So set a $default_kernelopts in the GRUB config file that will be used as
+a fallback if the value in the BLS options field can't be resolved.
+
+Related: rhbz#1625124
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ grub-core/commands/blscfg.c | 7 +++++++
+ util/grub.d/10_linux.in | 2 ++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/grub-core/commands/blscfg.c b/grub-core/commands/blscfg.c
+index c432c6ba27a..11cc82b6f31 100644
+--- a/grub-core/commands/blscfg.c
++++ b/grub-core/commands/blscfg.c
+@@ -628,6 +628,9 @@ static char *expand_val(char *value)
+ char *end = value;
+ bool is_var = false;
+
++ if (!value)
++ return NULL;
++
+ while (*value) {
+ if (*value == '$') {
+ if (start != end) {
+@@ -701,6 +704,10 @@ static void create_entry (struct bls_entry *entry)
+
+ title = bls_get_val (entry, "title", NULL);
+ options = expand_val (bls_get_val (entry, "options", NULL));
++
++ if (!options)
++ options = expand_val (grub_env_get("default_kernelopts"));
++
+ initrds = bls_make_list (entry, "initrd", NULL);
+
+ hotkey = bls_get_val (entry, "grub_hotkey", NULL);
+diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
+index da2992ac9f1..04fd8953f40 100644
+--- a/util/grub.d/10_linux.in
++++ b/util/grub.d/10_linux.in
+@@ -158,6 +158,8 @@ linux_entry ()
+ populate_header_warn
+
+ cat << EOF
++set default_kernelopts="root=${linux_root_device_thisversion} ro ${args}"
++
+ insmod blscfg
+ blscfg
+ if [ -s \$prefix/grubenv ]; then
diff --git a/SOURCES/0263-Remove-bogus-load_env-after-blscfg-command-in-10_lin.patch b/SOURCES/0263-Remove-bogus-load_env-after-blscfg-command-in-10_lin.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7b09d5f0b2bda2f0f30ce57fe0a9aeea23b325bc
--- /dev/null
+++ b/SOURCES/0263-Remove-bogus-load_env-after-blscfg-command-in-10_lin.patch
@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue, 14 May 2019 20:37:44 +0200
+Subject: [PATCH] Remove bogus load_env after blscfg command in 10_linux
+
+The grubenv is already loaded in the 00_header snippet, so there's
+no need to load it anywhere else.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ util/grub.d/10_linux.in | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
+index 04fd8953f40..58d18504790 100644
+--- a/util/grub.d/10_linux.in
++++ b/util/grub.d/10_linux.in
+@@ -162,9 +162,6 @@ set default_kernelopts="root=${linux_root_device_thisversion} ro ${args}"
+
+ insmod blscfg
+ blscfg
+-if [ -s \$prefix/grubenv ]; then
+- load_env
+-fi
+ EOF
+
+ if [ "x${GRUB_GRUBENV_UPDATE}" = "xyes" ]; then
diff --git a/SOURCES/0264-10_linux_bls-use-to-separate-id-argument-due-a-Petit.patch b/SOURCES/0264-10_linux_bls-use-to-separate-id-argument-due-a-Petit.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2ea8828e4b91b76dc780f4393a5ba297a606d5eb
--- /dev/null
+++ b/SOURCES/0264-10_linux_bls-use-to-separate-id-argument-due-a-Petit.patch
@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 19 Jun 2019 15:57:17 +0200
+Subject: [PATCH] 10_linux_bls: use '=' to separate --id argument due a
+ Petitboot bug
+
+The GRUB menuentry command allows to separate the arguments for options
+using either a '=' or a ' '. The latter is the convention used when the
+menu entries are defined in the GRUB config file, but this is currently
+not supported by Petitboot.
+
+So as a workaround define the menu entries using '--id=${bls}' instead.
+
+Resolves: rhbz#1721815
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ util/grub.d/10_linux_bls.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/util/grub.d/10_linux_bls.in b/util/grub.d/10_linux_bls.in
+index 175bedd0763..8e07a79322b 100644
+--- a/util/grub.d/10_linux_bls.in
++++ b/util/grub.d/10_linux_bls.in
+@@ -180,7 +180,7 @@ populate_menu()
+ for bls in "${files[@]}" ; do
+ read_config "${blsdir}/${bls}.conf"
+
+- menu="${menu}menuentry '${title}' --class ${grub_class} ${grub_arg} --users ${grub_users} --id ${bls} {\n"
++ menu="${menu}menuentry '${title}' --class ${grub_class} ${grub_arg} --users ${grub_users} --id=${bls} {\n"
+ menu="${menu}\t linux ${linux} ${options}\n"
+ if [ -n "${initrd}" ] ; then
+ menu="${menu}\t initrd ${boot_prefix}${initrd}\n"
diff --git a/SOURCES/0265-10_linux_bls-don-t-add-users-option-to-generated-men.patch b/SOURCES/0265-10_linux_bls-don-t-add-users-option-to-generated-men.patch
new file mode 100644
index 0000000000000000000000000000000000000000..5b5ecdc30d783aceb30f74326e9f793c6fa64bb9
--- /dev/null
+++ b/SOURCES/0265-10_linux_bls-don-t-add-users-option-to-generated-men.patch
@@ -0,0 +1,37 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Thu, 28 Mar 2019 16:34:42 +0100
+Subject: [PATCH] 10_linux_bls: don't add --users option to generated menu
+ entries
+
+The generated menu entries have a --users $grub_users option but this will
+fail on old versions of GRUB, since it expects the --users option argument
+to either be a constant or a variable that has been set.
+
+The latest GRUB version fix this but the GRUB core isn't updated on a GRUB
+package update, so this will cause the entries to not be shown in the menu
+after a system upgrade.
+
+Since can cause issues and because the entries that weren't generated from
+the BLS snippets didn't have the --users option either, just don't add it.
+
+Resolves: rhbz#1755815
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ util/grub.d/10_linux_bls.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/util/grub.d/10_linux_bls.in b/util/grub.d/10_linux_bls.in
+index 8e07a79322b..855dbdd190b 100644
+--- a/util/grub.d/10_linux_bls.in
++++ b/util/grub.d/10_linux_bls.in
+@@ -180,7 +180,7 @@ populate_menu()
+ for bls in "${files[@]}" ; do
+ read_config "${blsdir}/${bls}.conf"
+
+- menu="${menu}menuentry '${title}' --class ${grub_class} ${grub_arg} --users ${grub_users} --id=${bls} {\n"
++ menu="${menu}menuentry '${title}' --class ${grub_class} ${grub_arg} --id=${bls} {\n"
+ menu="${menu}\t linux ${linux} ${options}\n"
+ if [ -n "${initrd}" ] ; then
+ menu="${menu}\t initrd ${boot_prefix}${initrd}\n"
diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der
deleted file mode 100644
index 44a2563dee3f8eeecd5026306be46d2a8d89970d..0000000000000000000000000000000000000000
Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ
diff --git a/SOURCES/centossecureboot001.crt b/SOURCES/centossecureboot001.crt
deleted file mode 100644
index 321c4ec98a8b3e220c9c25d1e667899043a6a985..0000000000000000000000000000000000000000
--- a/SOURCES/centossecureboot001.crt
+++ /dev/null
@@ -1,81 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number:
- b6:16:15:71:72:fb:31:7e
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=CentOS Secure Boot (CA key 1)/emailAddress=security@centos.org
- Validity
- Not Before: Aug 1 11:47:30 2018 GMT
- Not After : Dec 31 11:47:30 2037 GMT
- Subject: CN=CentOS Secure Boot (key 1)/emailAddress=security@centos.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (2048 bit)
- Modulus (2048 bit):
- 00:c1:a3:6a:f4:2d:71:83:6c:21:ca:0c:b7:ac:fa:
- 76:80:43:03:40:87:5d:de:e9:1e:df:ad:e7:2b:51:
- cb:f8:31:0f:9a:db:ab:23:25:04:11:05:57:7d:f2:
- 4b:8d:1e:b3:75:78:1d:b9:57:8b:18:0b:bb:7e:e3:
- 24:0f:6a:40:5f:2b:4f:03:a5:85:94:d2:f9:08:a0:
- bc:db:a5:ea:4f:7f:e8:7c:d1:a9:f8:f0:9c:25:18:
- 00:14:c4:c4:35:7d:1d:4c:8a:8d:95:f8:ed:65:97:
- a5:a4:da:7d:cb:f0:33:3b:b7:03:94:68:47:05:57:
- 6c:96:91:ac:14:f2:e3:f6:6d:4a:18:cf:68:8a:35:
- 6f:8e:26:99:7f:db:c9:83:54:c2:c3:bf:ad:45:a0:
- aa:a0:86:5f:20:b1:86:1b:ae:b7:28:15:11:f9:65:
- 53:5d:70:33:9b:a3:c7:b5:c8:11:ff:55:3b:e7:46:
- f1:6c:6b:8c:bb:f2:9f:36:23:b1:2d:23:2f:8f:4f:
- 6c:a8:cc:ae:f5:56:9e:22:6c:0e:9a:4a:b1:bd:b2:
- 76:15:5c:05:85:b8:5e:dc:8c:a5:c3:e0:75:51:a4:
- 94:9b:03:2e:7b:f8:d3:b9:dd:7f:88:ce:2e:2f:28:
- 4c:b4:92:2f:e6:e0:67:0a:d0:ff:c5:d2:79:a6:ef:
- 94:0f
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:FALSE
- X509v3 Key Usage:
- Digital Signature
- X509v3 Subject Key Identifier:
- F0:37:C6:EA:EC:36:D4:05:7A:52:6C:0E:C6:D5:A9:5B:32:4E:E1:29
- X509v3 Authority Key Identifier:
- keyid:54:EC:81:85:89:3E:E9:1A:DB:08:F7:44:88:54:7E:8E:3F:74:3A:F3
-
- Signature Algorithm: sha256WithRSAEncryption
- 97:97:ba:a6:0b:5b:bb:84:39:2e:ef:8b:51:9a:89:bb:65:3c:
- dc:15:d0:5a:88:c5:af:ce:93:f5:c1:74:98:15:59:a9:38:da:
- 11:fd:46:d5:4f:23:7c:03:1f:ae:0c:70:93:94:a7:61:2f:4b:
- 2f:5f:bb:cc:8a:d7:4a:24:66:73:85:b4:19:13:fc:6a:61:4a:
- 28:1f:a2:38:f4:72:90:03:c4:3e:64:63:8b:fb:15:22:22:4e:
- b9:43:d9:b4:3d:3a:60:c1:4d:3a:09:85:68:7a:bc:3b:f9:ef:
- f3:f5:e9:c9:4f:80:8c:c6:e9:cb:ef:28:44:b0:5d:d4:9e:4f:
- 0f:02:9a:65:aa:98:35:b4:6f:d2:80:e3:08:ef:12:d0:17:56:
- a6:a1:42:1e:1d:ab:e5:33:c0:fd:88:0d:40:42:81:c8:27:30:
- 17:07:57:3e:05:9d:aa:05:0e:5b:3a:79:b4:29:aa:7c:42:5a:
- ad:43:59:fb:34:4d:dc:62:58:63:e4:fb:de:bb:fd:6c:4e:97:
- 58:f4:b9:99:4a:71:fe:7f:16:50:55:25:46:39:96:9b:88:6c:
- 75:19:33:9e:70:b3:04:82:fe:16:a8:8e:22:47:83:6d:16:77:
- da:26:ad:31:d8:06:6d:c5:7e:46:4b:21:ab:ae:ec:2a:93:71:
- da:7f:89:1d
------BEGIN CERTIFICATE-----
-MIIDdTCCAl2gAwIBAgIJALYWFXFy+zF+MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV
-BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB
-FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE4MDgwMTExNDczMFoXDTM3MTIzMTEx
-NDczMFowSTEjMCEGA1UEAxMaQ2VudE9TIFNlY3VyZSBCb290IChrZXkgMSkxIjAg
-BgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDBo2r0LXGDbCHKDLes+naAQwNAh13e6R7frecrUcv4
-MQ+a26sjJQQRBVd98kuNHrN1eB25V4sYC7t+4yQPakBfK08DpYWU0vkIoLzbpepP
-f+h80an48JwlGAAUxMQ1fR1Mio2V+O1ll6Wk2n3L8DM7twOUaEcFV2yWkawU8uP2
-bUoYz2iKNW+OJpl/28mDVMLDv61FoKqghl8gsYYbrrcoFRH5ZVNdcDObo8e1yBH/
-VTvnRvFsa4y78p82I7EtIy+PT2yozK71Vp4ibA6aSrG9snYVXAWFuF7cjKXD4HVR
-pJSbAy57+NO53X+Izi4vKEy0ki/m4GcK0P/F0nmm75QPAgMBAAGjXTBbMAwGA1Ud
-EwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBTwN8bq7DbUBXpSbA7G1alb
-Mk7hKTAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q68zANBgkqhkiG9w0B
-AQsFAAOCAQEAl5e6pgtbu4Q5Lu+LUZqJu2U83BXQWojFr86T9cF0mBVZqTjaEf1G
-1U8jfAMfrgxwk5SnYS9LL1+7zIrXSiRmc4W0GRP8amFKKB+iOPRykAPEPmRji/sV
-IiJOuUPZtD06YMFNOgmFaHq8O/nv8/XpyU+AjMbpy+8oRLBd1J5PDwKaZaqYNbRv
-0oDjCO8S0BdWpqFCHh2r5TPA/YgNQEKByCcwFwdXPgWdqgUOWzp5tCmqfEJarUNZ
-+zRN3GJYY+T73rv9bE6XWPS5mUpx/n8WUFUlRjmWm4hsdRkznnCzBIL+FqiOIkeD
-bRZ32iatMdgGbcV+Rkshq67sKpNx2n+JHQ==
------END CERTIFICATE-----
diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros
index 07f41142d8d3f66529f4ecd83536bf63dadc7589..1e3705f868317d74c6c1f7f2a808a2957d26b2a3 100644
--- a/SOURCES/grub.macros
+++ b/SOURCES/grub.macros
@@ -17,7 +17,6 @@
%global cflags_sed \\\
sed \\\
-e 's/-O. //g' \\\
- -e 's/-g /-g3 /g' \\\
-e 's/-fplugin=annobin //g' \\\
-e 's,-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 ,,g' \\\
-e 's/-fstack-protector[[:alpha:]-]\\+//g' \\\
@@ -29,25 +28,44 @@
-e 's/^/ -fno-strict-aliasing /' \\\
%{nil}
-%global host_cflags %{expand:%%(echo %{optflags} | %{cflags_sed})}
-%global target_cflags %{expand:%%(echo %{optflags} | %{cflags_sed})}
-%global legacy_target_cflags \\\
- %{expand:%%(echo %{target_cflags} | \\\
+%global host_cflags %{expand:%%(echo %{build_cflags} %{?_hardening_cflags} | %{cflags_sed})}
+%global legacy_host_cflags \\\
+ %{expand:%%(echo %{host_cflags} | \\\
%{cflags_sed} \\\
-e 's/-m64//g' \\\
-e 's/-mcpu=power[[:alnum:]]\\+/-mcpu=power6/g' \\\
)}
-%global legacy_host_cflags \\\
- %{expand:%%(echo %{host_cflags} | \\\
+%global efi_host_cflags %{expand:%%(echo %{host_cflags})}
+
+%global target_cflags %{expand:%%(echo %{build_cflags} | %{cflags_sed})}
+%global legacy_target_cflags \\\
+ %{expand:%%(echo %{target_cflags} | \\\
%{cflags_sed} \\\
-e 's/-m64//g' \\\
-e 's/-mcpu=power[[:alnum:]]\\+/-mcpu=power6/g' \\\
)}
-
-%global efi_host_cflags %{expand:%%(echo %{host_cflags})}
%global efi_target_cflags %{expand:%%(echo %{target_cflags})}
+%global ldflags_sed \\\
+ sed \\\
+ -e 's/^$//' \\\
+ %{nil}
+
+%global host_ldflags %{expand:%%(echo %{build_ldflags} %{?_hardening_ldflags} | %{ldflags_sed})}
+%global legacy_host_ldflags \\\
+ %{expand:%%(echo %{host_ldflags} | \\\
+ %{ldflags_sed} \\\
+ )}
+%global efi_host_ldflags %{expand:%%(echo %{host_ldflags})}
+
+%global target_ldflags %{expand:%%(echo %{build_ldflags} -static | %{ldflags_sed})}
+%global legacy_target_ldflags \\\
+ %{expand:%%(echo %{target_ldflags} | \\\
+ %{ldflags_sed} \\\
+ )}
+%global efi_target_ldflags %{expand:%%(echo %{target_ldflags})}
+
%global with_efi_arch 0
%global with_alt_efi_arch 0
%global with_legacy_arch 0
@@ -314,11 +332,12 @@ PYTHON=python3 ./autogen.sh \
%define do_efi_configure() \
%configure \\\
%{cc_equals} \\\
- HOST_CFLAGS="%{3} -I$(pwd)" \\\
- HOST_CPPFLAGS="${CPPFLAGS} -I$(pwd)" \\\
- TARGET_CFLAGS="%{2} -I$(pwd)" \\\
- TARGET_CPPFLAGS="${CPPFLAGS} -I$(pwd)" \\\
- TARGET_LDFLAGS=-static \\\
+ HOST_CFLAGS="%{3}" \\\
+ HOST_CPPFLAGS="-I$(pwd)" \\\
+ HOST_LDFLAGS="%{efi_host_ldflags}" \\\
+ TARGET_CFLAGS="%{2}" \\\
+ TARGET_CPPFLAGS="-I$(pwd)" \\\
+ TARGET_LDFLAGS="%{efi_target_ldflags}" \\\
--with-platform=efi \\\
--with-utils=host \\\
--target=%{1} \\\
@@ -401,9 +420,12 @@ cd .. \
cd grub-%{1}-%{tarversion} \
%configure \\\
%{cc_equals} \\\
- HOST_CFLAGS="%{legacy_host_cflags} -I$(pwd)" \\\
- TARGET_CFLAGS="%{legacy_target_cflags} -I$(pwd)" \\\
- TARGET_LDFLAGS=-static \\\
+ HOST_CFLAGS="%{legacy_host_cflags}" \\\
+ HOST_CPPFLAGS="-I$(pwd)" \\\
+ HOST_LDFLAGS="%{legacy_host_ldflags}" \\\
+ TARGET_CFLAGS="%{legacy_target_cflags}" \\\
+ TARGET_CPPFLAGS="-I$(pwd)" \\\
+ TARGET_LDFLAGS="%{legacy_target_ldflags}" \\\
--with-platform=%{platform} \\\
--with-utils=host \\\
--target=%{_target_platform} \\\
@@ -412,7 +434,7 @@ cd grub-%{1}-%{tarversion} \
--disable-grub-mount \\\
--disable-werror || ( cat config.log ; exit 1 ) \
git add . \
-git commit -m "After legacy configure" \
+git commit -m "After legacy configure" \
make %{?_smp_mflags} \
cd .. \
%{nil}
@@ -532,7 +554,7 @@ touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg \
%dir %attr(0700,root,root)%{efi_esp_dir}/fonts \
%dir %attr(0700,root,root)/boot/loader/entries \
%ghost %config(noreplace) %attr(0700,root,root)%{efi_esp_dir}/grub.cfg \
-/boot/grub2/grubenv \
+%config(noreplace) /boot/grub2/grubenv \
%ghost %config(noreplace) %attr(0700,root,root)%{efi_esp_dir}/grubenv \
%{expand:%if 0%{?without_efi_modules} \
%exclude %{_libdir}/grub/%{6} \
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index 558efbe2c1115a05d425f6e8342bf2eb7ab2a715..68fc6910c93aa54a2e87be3193435f15e39c3579 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -256,3 +256,10 @@ Patch0255: 0255-Make-grub2-mkconfig-to-honour-GRUB_CMDLINE_LINUX-in-.patch
Patch0256: 0256-grub-boot-success.timer-Add-a-few-Conditions-for-run.patch
Patch0257: 0257-docs-Stop-using-polkit-pkexec-for-grub-boot-success..patch
Patch0258: 0258-Fix-the-looking-up-grub.cfg-XXX-while-tftp-booting.patch
+Patch0259: 0259-HTTP-boot-strncmp-returns-0-on-equal.patch
+Patch0260: 0260-Don-t-duplicate-net-name-string-if-not-needed.patch
+Patch0261: 0261-Try-to-set-fPIE-and-friends-on-libgnu.a.patch
+Patch0262: 0262-blscfg-fallback-to-default_kernelopts-if-BLS-option-.patch
+Patch0263: 0263-Remove-bogus-load_env-after-blscfg-command-in-10_lin.patch
+Patch0264: 0264-10_linux_bls-use-to-separate-id-argument-due-a-Petit.patch
+Patch0265: 0265-10_linux_bls-don-t-add-users-option-to-generated-men.patch
diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
index 93db85678e47450598dc94fdef92c2c7c06535aa..361f0b79eeb3e24077a7cce171dca66f39ca058c 100644
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -7,7 +7,7 @@
Name: grub2
Epoch: 1
Version: 2.02
-Release: 66%{?dist}.1
+Release: 78%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more
Group: System Environment/Base
License: GPLv3+
@@ -24,8 +24,8 @@ Source6: gitignore
Source8: strtoull_test.c
Source9: 20-grub.install
Source12: 99-grub-mkconfig.install
-Source13: centos-ca-secureboot.der
-Source14: centossecureboot001.crt
+Source13: securebootca.cer
+Source14: secureboot.cer
%include %{SOURCE1}
@@ -52,11 +52,7 @@ BuildRequires: pesign >= 0.99-8
BuildRequires: ccache
%endif
-%if 0%{?centos}
-%global efidir centos
-%endif
-
-ExcludeArch: s390 s390x
+ExcludeArch: s390 s390x %{arm}
Obsoletes: %{name} <= %{evr}
%if 0%{with_legacy_arch}
@@ -168,10 +164,10 @@ git commit -m "After making subdirs"
%build
%if 0%{with_efi_arch}
-%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001}
+%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301}
%endif
%if 0%{with_alt_efi_arch}
-%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001}
+%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301}
%endif
%if 0%{with_legacy_arch}
%{expand:%do_legacy_build %%{grublegacyarch}}
@@ -502,12 +498,54 @@ fi
%endif
%changelog
-* Tue Sep 10 2019 CentOS Sources <bugs@centos.org> - 2.02-66.el8.centos.1
-- Apply debranding changes
+* Thu Sep 26 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-77
+- 10_linux_bls: don't add --users option to generated menu entries
+ Resolves: rhbz#1755815
-* Fri Aug 23 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-66.el8_0.1
+* Fri Aug 09 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-76
- Include regexp module in EFI builds
- Resolves: rhbz#1743549
+ Resolves: rhbz#1737670
+
+* Wed Jun 19 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-75
+- Fix setting default entry on ppc64le when using OPAL
+ Resolves: rhbz#1721815
+
+* Tue Jun 04 2019 Sergio Durigan Junior <sergiodj@redhat.com> - 2.02-74
+- Use '-g' instead of '-g3' when compiling grub2.
+ Related: rhbz#1653961
+
+* Wed May 29 2019 Peter Jones <pjones@redhat.com> - 2.02-73
+- Rebuild once again to try to get rpmdiff happy.
+ Related: rhbz#1653961
+
+* Mon May 27 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-72
+- Build with the correct target
+ Related: rhbz#1653961
+
+* Fri May 24 2019 Peter Jones <pjones@redhat.com> - 2.02-71
+- Fix (a fourth time, due to a typo) how LDFLAGS works on non-efi platforms.
+ Related: rhbz#1653961
+
+* Thu May 23 2019 Peter Jones <pjones@redhat.com> - 2.02-70
+- Fix (once again) how CFLAGS and LDFLAGS propogate the settings for hardened
+ builds, because rpmdiff doesn't like the current way failing.
+ Related: rhbz#1653961
+
+* Tue May 21 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-69
+- Enable package gating
+ Resolves: rhbz#1653961
+
+* Mon May 20 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-68
+- Avoid grub2-efi package to overwrite existing /boot/grub2/grubenv file
+ Resolves: rhbz#1680572
+- Try to set -fPIE and friends on libgnu.a (pjones)
+- blscfg: fallback to default_kernelopts if BLS option field isn't set
+ Related: rhbz#1680572
+- Remove bogus load_env after blscfg command in 10_linux
+
+* Mon Apr 29 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-67
+- Fix failure to request grub.cfg over HTTP
+ Resolves: rhbz#1490991
* Wed Dec 19 2018 Javier Martinez Canillas <javierm@redhat.com> - 2.02-66
- Fix grub.cfg-XXX look up when booting over TFTP