!152 [sync] PR-145: enable sbat and don't verify kernels twice

From: @openeuler-sync-bot 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng

backport-grub-core-loader-arm64-linux.c-do-not-validate-kerne.patch

@@ -0,0 +1,58 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
+Date: Fri, 4 Mar 2022 11:29:31 +0100
+Subject: [PATCH] grub-core/loader/arm64/linux.c: do not validate kernel twice
+ 
+Call to grub_file_open(, GRUB_FILE_TYPE_LINUX_KERNEL) already passes
+the kernel file through shim-lock verifier when secureboot is on. Thus
+there is no need to validate the kernel image again. And when doing so
+again, duplicate PCR measurement is performed, breaking measurements
+compatibility with 2.04+linuxefi.
+ 
+This patch must not be ported to older editions of grub code bases
+that do not have verifiers framework, or it is not builtin, or
+shim-lock-verifier is an optional module.
+ 
+Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
+---
+ grub-core/loader/arm64/linux.c | 13 -------------
+ 1 file changed, 13 deletions(-)
+ 
+diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c
+index f18d90bd749..d2af47c2c0a 100644
+--- a/grub-core/loader/arm64/linux.c
++++ b/grub-core/loader/arm64/linux.c
+@@ -34,7 +34,6 @@
+ #include <grub/i18n.h>
+ #include <grub/lib/cmdline.h>
+ #include <grub/verify.h>
+-#include <grub/efi/sb.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -341,7 +340,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+   grub_off_t filelen;
+   grub_uint32_t align;
+   void *kernel = NULL;
+-  int rc;
+ 
+   grub_dl_ref (my_mod);
+ 
+@@ -370,17 +368,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+       goto fail;
+     }
+ 
+-  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+-    {
+-      rc = grub_linuxefi_secure_validate (kernel, filelen);
+-      if (rc <= 0)
+-	{
+-	  grub_error (GRUB_ERR_INVALID_COMMAND,
+-		      N_("%s has invalid signature"), argv[0]);
+-	  goto fail;
+-	}
+-    }
+-
+   if (grub_arch_efi_linux_check_image (kernel) != GRUB_ERR_NONE)
+     goto fail;
+   if (parse_pe_header (kernel, &kernel_size, &handover_offset, &align) != GRUB_ERR_NONE)

backport-grub-core-loader-efi-chainloader.c-do-not-validate-c.patch

@@ -0,0 +1,80 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
+Date: Fri, 4 Mar 2022 09:31:43 +0100
+Subject: [PATCH] grub-core/loader/efi/chainloader.c: do not validate
+ chainloader twice
+ 
+On secureboot systems, with shimlock verifier, call to
+grub_file_open(, GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE) will already
+pass the chainloader target through shim-lock protocol verify
+call. And create a TPM measurement. If verification fails,
+grub_cmd_chainloader will fail at file open time.
+ 
+This makes previous code paths for negative, and zero return codes
+from grub_linuxefi_secure_validate unreachable under secureboot. But
+also breaking measurements compatibility with 2.04+linuxefi codebases,
+as the chainloader file is passed through shim_lock->verify() twice
+(via verifier & direct call to grub_linuxefi_secure_validate)
+extending the PCRs twice.
+ 
+This reduces grub_loader options to perform
+grub_secureboot_chainloader when secureboot is on, and otherwise
+attempt grub_chainloader_boot.
+ 
+It means that booting with secureboot off, yet still with shim (which
+always verifies things successfully), will stop choosing
+grub_secureboot_chainloader, and opting for a more regular
+loadimage/startimage codepath. If we want to use the
+grub_secureboot_chainloader codepath in such scenarios we should adapt
+the code to simply check for shim_lock protocol presence /
+shim_lock->context() success?! But I am not sure if that is necessary.
+ 
+This patch must not be ported to older editions of grub code bases
+that do not have verifiers framework, or it is not builtin, or
+shim-lock-verifier is an optional module.
+ 
+Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
+---
+ grub-core/loader/efi/chainloader.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+ 
+diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
+index 3af6b122926..644cd2e56fe 100644
+--- a/grub-core/loader/efi/chainloader.c
++++ b/grub-core/loader/efi/chainloader.c
+@@ -906,7 +906,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+   grub_efi_device_path_t *dp = 0;
+   char *filename;
+   void *boot_image = 0;
+-  int rc;
+ 
+   if (argc == 0)
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
+@@ -1082,9 +1081,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+       orig_dev = 0;
+     }
+ 
+-  rc = grub_linuxefi_secure_validate((void *)(unsigned long)address, fsize);
+-  grub_dprintf ("chain", "linuxefi_secure_validate: %d\n", rc);
+-  if (rc > 0)
++  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+     {
+       grub_file_close (file);
+       grub_device_close (dev);
+@@ -1092,7 +1089,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+ 		       grub_secureboot_chainloader_unload, 0);
+       return 0;
+     }
+-  else if (rc == 0)
++  else
+     {
+       grub_load_and_start_image(boot_image);
+       grub_file_close (file);
+@@ -1101,7 +1098,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+ 
+       return 0;
+     }
+-  // -1 fall-through to fail
+ 
+ fail:
+   if (orig_dev)

backport-grub-core-loader-efi-linux.c-drop-now-unused-grub_li.patch

@@ -0,0 +1,83 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
+Date: Fri, 4 Mar 2022 11:36:09 +0100
+Subject: [PATCH] grub-core/loader/efi/linux.c: drop now unused
+ grub_linuxefi_secure_validate
+ 
+Drop the now unused grub_linuxefi_secure_validate() as all prior users
+of this API now rely on the shim-lock-verifier codepath instead.
+ 
+This patch must not be ported to older editions of grub code bases
+that do not have verifiers framework, or it is not builtin, or
+shim-lock-verifier is an optional module.
+ 
+Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
+---
+ grub-core/loader/efi/linux.c | 40 ----------------------------------------
+ include/grub/efi/linux.h     |  2 --
+ 2 files changed, 42 deletions(-)
+ 
+diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
+index 9260731c107..9265cf4200a 100644
+--- a/grub-core/loader/efi/linux.c
++++ b/grub-core/loader/efi/linux.c
+@@ -24,46 +24,6 @@
+ #include <grub/efi/pe32.h>
+ #include <grub/efi/linux.h>
+ 
+-#define SHIM_LOCK_GUID \
+- { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }
+-
+-struct grub_efi_shim_lock
+-{
+-  grub_efi_status_t (*verify) (void *buffer, grub_uint32_t size);
+-};
+-typedef struct grub_efi_shim_lock grub_efi_shim_lock_t;
+-
+-// Returns 1 on success, -1 on error, 0 when not available
+-int
+-grub_linuxefi_secure_validate (void *data, grub_uint32_t size)
+-{
+-  grub_efi_guid_t guid = SHIM_LOCK_GUID;
+-  grub_efi_shim_lock_t *shim_lock;
+-  grub_efi_status_t status;
+-
+-  shim_lock = grub_efi_locate_protocol(&guid, NULL);
+-  grub_dprintf ("secureboot", "shim_lock: %p\n", shim_lock);
+-  if (!shim_lock)
+-    {
+-      grub_dprintf ("secureboot", "shim not available\n");
+-      return 0;
+-    }
+-
+-  grub_dprintf ("secureboot", "Asking shim to verify kernel signature\n");
+-  status = shim_lock->verify (data, size);
+-  grub_dprintf ("secureboot", "shim_lock->verify(): %ld\n", (long int)status);
+-  if (status == GRUB_EFI_SUCCESS)
+-    {
+-      grub_dprintf ("secureboot", "Kernel signature verification passed\n");
+-      return 1;
+-    }
+-
+-  grub_dprintf ("secureboot", "Kernel signature verification failed (0x%lx)\n",
+-		(unsigned long) status);
+-
+-  return -1;
+-}
+-
+ #pragma GCC diagnostic push
+ #pragma GCC diagnostic ignored "-Wcast-align"
+ 
+diff --git a/include/grub/efi/linux.h b/include/grub/efi/linux.h
+index 0033d9305a9..887b02fd9f3 100644
+--- a/include/grub/efi/linux.h
++++ b/include/grub/efi/linux.h
+@@ -22,8 +22,6 @@
+ #include <grub/err.h>
+ #include <grub/symbol.h>
+ 
+-int
+-EXPORT_FUNC(grub_linuxefi_secure_validate) (void *data, grub_uint32_t size);
+ grub_err_t
+ EXPORT_FUNC(grub_efi_linux_boot) (void *kernel_address, grub_off_t offset,
+ 				  void *kernel_param);

backport-grub-core-loader-i386-efi-linux.c-do-not-validate-ke.patch

@@ -0,0 +1,73 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
+Date: Thu, 3 Mar 2022 13:10:56 +0100
+Subject: [PATCH] grub-core/loader/i386/efi/linux.c: do not validate kernels
+ twice
+ 
+On codebases that have shim-lock-verifier built into the grub core
+(like 2.06 upstream), shim-lock-verifier is in enforcing mode when
+booted with secureboot. It means that grub_cmd_linux() command
+attempts to perform shim validate upon opening linux kernel image,
+including kernel measurement. And the verifier correctly returns file
+open error when shim validate protocol is not present or shim fails to
+validate the kernel.
+ 
+This makes the call to grub_linuxefi_secure_validate() redundant, but
+also harmful. As validating the kernel image twice, extends the PCRs
+with the same measurement twice. Which breaks existing sealing
+policies when upgrading from grub2.04+rhboot+sb+linuxefi to
+grub2.06+rhboot+sb+linuxefi builds. It is also incorrect to measure
+the kernel twice.
+ 
+This patch must not be ported to older editions of grub code bases
+that do not have verifiers framework, or it is not builtin, or
+shim-lock-verifier is an optional module.
+ 
+This patch is tested to ensure that unsigned kernels are not possible
+to boot in secureboot mode when shim rejects kernel, or shim protocol
+is missing, and that the measurements become stable once again. The
+above also ensures that CVE-2020-15705 is not reintroduced.
+ 
+Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
+---
+ grub-core/loader/i386/efi/linux.c | 13 -------------
+ 1 file changed, 13 deletions(-)
+ 
+diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
+index 3cf0f9b330b..941df6400b9 100644
+--- a/grub-core/loader/i386/efi/linux.c
++++ b/grub-core/loader/i386/efi/linux.c
+@@ -30,7 +30,6 @@
+ #include <grub/cpu/efi/memory.h>
+ #include <grub/tpm.h>
+ #include <grub/safemath.h>
+-#include <grub/efi/sb.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -278,7 +277,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+   grub_ssize_t start, filelen;
+   void *kernel = NULL;
+   int setup_header_end_offset;
+-  int rc;
+ 
+   grub_dl_ref (my_mod);
+ 
+@@ -308,17 +306,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+       goto fail;
+     }
+ 
+-  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+-    {
+-      rc = grub_linuxefi_secure_validate (kernel, filelen);
+-      if (rc <= 0)
+-	{
+-	  grub_error (GRUB_ERR_INVALID_COMMAND,
+-		      N_("%s has invalid signature"), argv[0]);
+-	  goto fail;
+-	}
+-    }
+-
+   lh = (struct linux_i386_kernel_header *)kernel;
+   grub_dprintf ("linux", "original lh is at %p\n", kernel);
+

grub.macros

@@ -19,12 +19,13 @@
 		-e 's/-O. //g'					\\\
 		-e 's/-g /-g3 /g'				\\\
 		-e 's/-fplugin=annobin //g'			\\\
-		-e 's,-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 ,,g' \\\
+		-e 's,-specs=[[:alnum:]/_-]*annobin[[:alnum:]_-]* ,,g' \\\
 		-e 's/-fstack-protector[[:alpha:]-]\\+//g'	\\\
 		-e 's/-Wp,-D_FORTIFY_SOURCE=[[:digit:]]\\+//g'	\\\
 		-e 's/--param=ssp-buffer-size=4//g'		\\\
 		-e 's/-mregparm=3/-mregparm=4/g'		\\\
 		-e 's/-fexceptions//g'				\\\
+		-e 's/-fcf-protection//g'			\\\
 		-e 's/-fasynchronous-unwind-tables//g'		\\\
 		-e 's/^/ -fno-strict-aliasing /'		\\\
 		%{nil}
@@ -49,6 +50,7 @@
 
 %global ldflags_sed						\\\
 	sed							\\\
+		-e 's,-specs=[[:alnum:]/_-]*annobin[[:alnum:]_-]* ,,g' \\\
 		-e 's/^$//'					\\\
 		%{nil}
 
@@ -116,7 +118,7 @@
 %ifarch aarch64 %{arm}
 %global efi_modules " "
 %else
-%global efi_modules " backtrace chain usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug "
+%global efi_modules " backtrace chain tpm usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard "
 %endif
 
 %ifarch aarch64 %{arm}
@@ -353,6 +355,7 @@ sh bootstrap							\
     %{cc_equals}						\\\
     HOST_CFLAGS="%{3} -I$(pwd)"					\\\
     HOST_CPPFLAGS="${CPPFLAGS} -I$(pwd)"			\\\
+    HOST_LDFLAGS="%{efi_host_ldflags}"			\\\
     TARGET_CFLAGS="%{2} -I$(pwd)"				\\\
     TARGET_CPPFLAGS="${CPPFLAGS} -I$(pwd)"			\\\
     TARGET_LDFLAGS="%{efi_target_ldflags}"			\\\
@@ -381,12 +384,22 @@ for x in grub-mkimage ; do					\\\
 done								\
 %{nil}
 
+%define do_install_protected_file()				\
+touch %{1}.conf							\
+echo %{1} > %{1}.conf						\
+install -d -m 755 ${RPM_BUILD_ROOT}/etc/dnf/protected.d/	\
+install -m 644 %{1}.conf ${RPM_BUILD_ROOT}/etc/dnf/protected.d/ \
+rm -f %{1}.conf							\
+%{nil}
+
 %ifarch x86_64 aarch64 %{arm}
 %define mkimage()						\
 %{4}./grub-mkimage -O %{1} -o %{2}.orig				\\\
-	-p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES}	\
+	-p /EFI/%{efi_vendor} -d grub-core ${GRUB_MODULES}	\\\
+	--sbat %{4}./sbat.csv					\
 %{4}./grub-mkimage -O %{1} -o %{3}.orig				\\\
-	-p /EFI/BOOT -d grub-core ${GRUB_MODULES}		\
+	-p /EFI/BOOT -d grub-core ${GRUB_MODULES}		\\\
+	--sbat %{4}./sbat.csv					\
 install -m 700 %{2}.orig %{2}	\
 install -m 700 %{3}.orig %{3}	\
 %{nil}
@@ -402,18 +415,18 @@ install -m 700 %{3}.orig %{3}	\
 %define do_efi_build_images()					\
 GRUB_MODULES="	all_video boot blscfg btrfs			\\\
 		cat configfile cryptodisk			\\\
-		echo efi_netfs efifwsetup efinet ext2		\\\
+		echo efi_netfs efifwsetup efinet ext2 f2fs	\\\
 		fat font gcry_rijndael gcry_rsa gcry_serpent 	\\\
 		gcry_sha256 gcry_twofish gcry_whirlpool   	\\\
 		gfxmenu gfxterm gzio				\\\
 		halt hfsplus http increment iso9660 jpeg	\\\
 		loadenv loopback linux lvm lsefi lsefimmap luks	\\\
-		mdraid09 mdraid1x minicmd net			\\\
+		luks2 mdraid09 mdraid1x minicmd net		\\\
 		normal part_apple part_msdos part_gpt		\\\
 		password_pbkdf2 pgp png reboot			\\\
 		regexp search search_fs_uuid search_fs_file	\\\
 		search_label serial sleep syslinuxcfg test tftp	\\\
-		version video xfs"				\
+		version video xfs zstd "			\
 GRUB_MODULES+=%{efi_modules}					\
 %{expand:%%{mkimage %{1} %{2} %{3} %{4}}}			\
 %{nil}
@@ -441,6 +454,7 @@ cd grub-%{1}-%{tarversion}					\
     %{cc_equals}						\\\
     HOST_CFLAGS="%{legacy_host_cflags} -I$(pwd) "		\\\
     HOST_CPPFLAGS="-I$(pwd)"					\\\
+    HOST_LDFLAGS="%{legacy_host_ldflags}"			\\\
     TARGET_CFLAGS="%{legacy_target_cflags} -I$(pwd) "		\\\
     TARGET_CPPFLAGS="-I$(pwd)"					\\\
     TARGET_LDFLAGS="%{legacy_target_ldflags}"			\\\
@@ -460,6 +474,9 @@ cd ..								\
 cd grub-emu-%{tarversion}					\
 %configure							\\\
 	%{cc_equals}						\\\
+	HOST_CFLAGS="%{legacy_host_cflags}"			\\\
+	HOST_CPPFLAGS="-I$(pwd)"				\\\
+	HOST_LDFLAGS="%{legacy_host_ldflags}"			\\\
 	--with-platform=emu					\\\
 	--with-grubdir=%{name}					\\\
 	--program-transform-name=s,grub,%{name},		\\\
@@ -488,6 +505,7 @@ find . '(' -iname gdb_grub					\\\
 find $RPM_BUILD_ROOT -type f -iname "*.mod*" -exec chmod a-x {} '\;'	\
 install -m 700 %{2} $RPM_BUILD_ROOT%{efi_esp_dir}/%{2}	\
 install -m 700 %{3} $RPM_BUILD_ROOT%{efi_esp_dir}/%{3} \
+%{expand:%%do_install_protected_file %{name}-%{alt_package_arch}} \
 cd ..								\
 %{nil}
 
@@ -510,6 +528,7 @@ install -D -m 700 unicode.pf2					\\\
 	$RPM_BUILD_ROOT%{efi_esp_dir}/fonts/unicode.pf2		\
 ${RPM_BUILD_ROOT}/%{_bindir}/%{name}-editenv			\\\
 	${RPM_BUILD_ROOT}%{efi_esp_dir}/grubenv create		\
+%{expand:%%do_install_protected_file %{name}-%{package_arch}}	\
 cd ..								\
 %{nil}
 
@@ -532,6 +551,7 @@ if [ %{3} -eq 0 ]; then						\
 	${RPM_BUILD_ROOT}/%{_bindir}/%{name}-editenv		\\\
 		${RPM_BUILD_ROOT}/boot/%{name}/grubenv create	\
 fi								\
+%{expand:%%do_install_protected_file %{name}-%{legacy_package_arch}} \
 cd ..								\
 %{nil}
 
@@ -579,6 +599,7 @@ touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg			\
 %config(noreplace) %{_sysconfdir}/%{name}.cfg			\
 %ghost %config(noreplace) /boot/%{name}/grub.cfg		\
 %dir %attr(0700,root,root)/boot/loader/entries			\
+%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \
 								\
 %{expand:%if 0%{?with_legacy_modules}				\
 %{expand:%%files %{1}-modules}					\
@@ -602,6 +623,7 @@ touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg			\
 %dir %attr(0700,root,root)/boot/loader/entries			\
 %ghost %config(noreplace) %attr(0700,root,root)%{efi_esp_dir}/grub.cfg	\
 %ghost %config(noreplace) %attr(0700,root,root)%{efi_esp_dir}/grubenv	\
+%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \
 %{expand:%if 0%{?without_efi_modules}				\
 %exclude %{_libdir}/grub/%{6}					\
 %exclude %{_libdir}/grub/%{6}/*					\

grub.patches

@@ -202,5 +202,9 @@ Patch0201: 0201-fs-btrfs-Use-full-btrfs-bootloader-area.patch
 Patch0202: grub2-set-password-prompts-to-enter-the-current-pass.patch
 Patch0203: support-TPM2.0.patch
 Patch0204: use-default-timestamp.patch
-Patch0205: 0205-fix-setupmode-not-available-in-some-machine.patch
-Patch0206: 0206-remove-08_fallback_counting.in-apply-grubby.patch
+Patch0205: fix-setupmode-not-available-in-some-machine.patch
+Patch0206: remove-08_fallback_counting.in-apply-grubby.patch
+Patch0207: backport-grub-core-loader-i386-efi-linux.c-do-not-validate-ke.patch
+Patch0208: backport-grub-core-loader-arm64-linux.c-do-not-validate-kerne.patch
+Patch0209: backport-grub-core-loader-efi-chainloader.c-do-not-validate-c.patch
+Patch0210: backport-grub-core-loader-efi-linux.c-drop-now-unused-grub_li.patch

grub2.spec

@@ -14,7 +14,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.06
-Release:	3
+Release:	4
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@@ -30,6 +30,7 @@ Source9:	strtoull_test.c
 Source10:	20-grub.install
 Source11:	bootstrap
 Source12:	bootstrap.conf
+Source13:	sbat.csv.in
 
 %include %{SOURCE1}
 %include %{SOURCE2}
@@ -46,7 +47,7 @@ BuildRequires:	pesign >= 0.99-8
 BuildRequires:	ccache
 %endif
 
-Obsoletes:  grub2 <= %{evr} grub < 1:0.98
+Obsoletes:	%{name} <= %{evr}
 
 %if 0%{with_legacy_arch}
 Requires:	%{name}-%{legacy_package_arch} = %{evr}
@@ -76,7 +77,8 @@ Common package for grub2.
 
 %package        tools
 Summary:    tools package for grub2
-Requires:   grub2-common = %{epoch}:%{version}-%{release}
+Obsoletes:	%{name}-tools < %{evr}
+Requires:   %{name}-common = %{epoch}:%{version}-%{release}
 Requires:   gettext os-prober which file
 Requires(pre):  dracut
 Requires(post): dracut
@@ -87,7 +89,7 @@ tools package for grub2.
 %package     tools-minimal
 Summary:     Support tools for GRUB.
 Requires:    gettext %{name}-common = %{epoch}:%{version}-%{release}
-Obsoletes:   grub2-tools < %{evr}
+Obsoletes:   %{name}-tools < %{evr}
 
 %description tools-minimal
 Support tools for GRUB.
@@ -97,7 +99,7 @@ Summary:     Support tools for GRUB.
 Requires:    gettext os-prober which file
 Requires:    %{name}-tools-minimal = %{epoch}:%{version}-%{release}
 Requires:    %{name}-common = %{epoch}:%{version}-%{release}
-Obsoletes:   grub2-tools < %{evr}
+Obsoletes:   %{name}-tools < %{evr}
 
 %description tools-extra
 Support tools for GRUB.
@@ -148,6 +150,8 @@ This subpackage provides the GRUB user-space emulation modules.
 mkdir grub-%{grubefiarch}-%{tarversion}
 grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grubefiarch}-%{tarversion}/.gitignore
 cp %{SOURCE4} grub-%{grubefiarch}-%{tarversion}/unifont.pcf.gz
+sed -e "s,@@VERSION@@,%{version},g" -e "s,@@VERSION_RELEASE@@,%{version}-%{release},g" \
+    %{SOURCE13} > grub-%{grubefiarch}-%{tarversion}/sbat.csv
 git add grub-%{grubefiarch}-%{tarversion}
 %endif
 %if 0%{with_alt_efi_arch}
@@ -228,6 +232,7 @@ strip kernel.exec
 strip lnxboot.image
 popd
 %endif
+%{expand:%%do_install_protected_file %{name}-tools-minimal}
 
 %find_lang grub
 
@@ -378,6 +383,7 @@ fi
 %{_bindir}/%{name}-editenv
 %{_bindir}/%{name}-mkpasswd-pbkdf2
 %{_bindir}/%{name}-mount
+%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-tools-minimal.conf
 
 %files tools-extra
 %defattr(-,root,root)
@@ -426,6 +432,12 @@ fi
 %{_datadir}/man/man*
 
 %changelog
+* Fri Mar 25 2022 zhangqiumiao <zhangqiumiao1@huawei.com> - 2.06-4
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:enable sbat and don't verify kernels twice
+
 * Thu Mar 24 2022 zhangqiumiao <zhangqiumiao1@huawei.com> - 2.06-3
 - Type:bugfix
 - CVE:NA

sbat.csv.in

@@ -0,0 +1,3 @@
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+grub,1,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/
+grub.openeuler,1,The openEuler Project,grub2,@@VERSION_RELEASE@@,https://gitee.com/src-openeuler/grub2