%bcond_with bootstrap %global debug_package %{nil} %global grub_niceos_generation 1 Name: grub2 Version: 2.14 Release: 1%{?dist} Summary: GRUB2 bootloader for operating systems Summary(ru): Загрузчик GRUB2 для операционных систем License: GPL-3.0-or-later URL: https://www.gnu.org/software/grub Source0: https://ftp.gnu.org/gnu/grub/grub-%{version}.tar.xz Source2: grub-sbat.csv.in Source3: niceos-secureboot-signing.x509 Packager: NICE SOFT GROUP LLC (ООО "НАЙС СОФТ ГРУПП") 5024245440 Vendor: NiceSOFT Distribution: NiceOS.Core BugURL: https://bugs.niceos.ru/ VCS: https://specs.niceos.ru/rmps/%{name} BuildRequires: autoconf BuildRequires: automake BuildRequires: autoconf-archive BuildRequires: binutils BuildRequires: bison BuildRequires: bzip2-devel BuildRequires: dejavu-sans-fonts BuildRequires: device-mapper-devel BuildRequires: flex BuildRequires: fuse-devel BuildRequires: gcc BuildRequires: gettext-devel BuildRequires: git BuildRequires: help2man BuildRequires: libtasn1-devel BuildRequires: ncurses-devel BuildRequires: openssl BuildRequires: pkgconf BuildRequires: python3 BuildRequires: rpm-devel BuildRequires: rpm-libs BuildRequires: sbsigntools BuildRequires: squashfs-tools BuildRequires: texinfo BuildRequires: xz-devel BuildRequires: zlib-devel BuildRequires: libpng-devel BuildRequires: systemd-devel BuildRequires: brotli-devel BuildRequires: freetype2-devel %description GRUB2 (the GRand Unified Bootloader) is a flexible boot loader that can load Linux and other operating systems. It supports many file systems and provides a configurable and reliable boot process. %description -l ru GRUB2 (GRand Unified Bootloader) — гибкий загрузчик, позволяющий выбирать и загружать Linux и другие операционные системы. Поддерживает множество файловых систем и предоставляет настраиваемый и надежный процесс загрузки. %ifarch x86_64 %package pc Summary: GRUB2 platform support for PC/BIOS systems Summary(ru): Поддержка платформы GRUB2 для систем PC/BIOS Requires: %{name} = %{version}-%{release} %description -n %{name}-pc This subpackage contains GRUB2 modules and files for the PC/BIOS platform (i386-pc). %description -l ru -n %{name}-pc Подпакет содержит модули и файлы GRUB2 для платформы PC/BIOS (i386-pc). %endif %package efi Summary: GRUB2 platform support for EFI systems Summary(ru): Поддержка платформы GRUB2 для EFI-систем Requires: %{name} = %{version}-%{release} %description -n %{name}-efi This subpackage contains GRUB2 modules and files for EFI systems. %description -l ru -n %{name}-efi Подпакет содержит модули и файлы GRUB2 для EFI-систем. %package emu Summary: GRUB2 bootloader emulator Summary(ru): Эмулятор загрузчика GRUB2 Requires: %{name} = %{version}-%{release} %description -n %{name}-emu This subpackage provides a userspace GRUB2 emulator useful for testing and debugging without rebooting. %description -l ru -n %{name}-emu Подпакет содержит пользовательский эмулятор GRUB2, полезный для тестирования и отладки без перезагрузки системы. %package efi-image Summary: EFI boot image for GRUB2 Summary(ru): EFI-образ загрузчика GRUB2 %description -n %{name}-efi-image This subpackage contains EFI boot images required to install and use GRUB2 on EFI-capable systems. %description -l ru -n %{name}-efi-image Подпакет содержит EFI-загрузочные образы, необходимые для установки и использования GRUB2 на системах с поддержкой EFI. %prep %autosetup -n grub-%{version} %build unset {C,CPP,CXX,LD}FLAGS # Regenerate build system files because GRUB's generated files may need to # match the current patched source tree. sh ./autogen.sh # GRUB 2.14 uses grub-core/extra_deps.lst while generating syminfo.lst. # Because this spec builds out-of-tree, the file must exist inside every # separate build directory, not only in the source tree. create_extra_deps_lst() { if [ ! -d grub-core ]; then echo "ERROR: grub-core directory was not created by configure" >&2 exit 1 fi printf '%s\n' "depends bli part_gpt" > grub-core/extra_deps.lst if [ ! -s grub-core/extra_deps.lst ]; then echo "ERROR: failed to create grub-core/extra_deps.lst" >&2 exit 1 fi } %ifarch x86_64 rm -rf build-for-pc install-for-pc mkdir -p build-for-pc pushd build-for-pc sh ../configure \ --prefix=%{_prefix} \ --sbindir=%{_sbindir} \ --sysconfdir=%{_sysconfdir} \ --disable-werror \ --disable-efiemu \ --disable-nls \ --with-grubdir=grub2 \ --with-platform=pc \ --target=i386 \ --program-transform-name=s,grub,%{name}, \ --with-bootdir="/boot" create_extra_deps_lst %make_build %make_install DESTDIR=${PWD}/../install-for-pc popd %endif rm -rf build-for-emu install-for-emu mkdir -p build-for-emu pushd build-for-emu sh ../configure \ --prefix=%{_prefix} \ --sbindir=%{_sbindir} \ --sysconfdir=%{_sysconfdir} \ --disable-werror \ --disable-nls \ --with-grubdir=grub2 \ --with-platform=emu \ --target=%{_arch} \ --program-transform-name=s,grub,%{name}, \ --with-bootdir="/boot" create_extra_deps_lst %make_build %make_install DESTDIR=${PWD}/../install-for-emu popd rm -rf build-for-efi install-for-efi mkdir -p build-for-efi pushd build-for-efi sh ../configure \ --prefix=%{_prefix} \ --sbindir=%{_sbindir} \ --sysconfdir=%{_sysconfdir} \ --disable-werror \ --disable-efiemu \ --with-grubdir=grub2 \ --with-platform=efi \ --target=%{_arch} \ --program-transform-name=s,grub,%{name}, \ --with-bootdir="/boot" create_extra_deps_lst %make_build %make_install DESTDIR=${PWD}/../install-for-efi popd %install unset {C,CPP,CXX,LD}FLAGS mkdir -p %{buildroot}%{_sysconfdir}/default \ %{buildroot}%{_sysconfdir}/sysconfig \ %{buildroot}/boot/%{name} cp -apr install-for-emu/. %{buildroot}/. cp -apr install-for-efi/. %{buildroot}/. %ifarch x86_64 cp -apr install-for-pc/. %{buildroot}/. %endif touch %{buildroot}/boot/%{name}/grub.cfg rm -rf %{buildroot}%{_infodir} # RU: Генерация EFI-образа GRUB2. # EN: Generate GRUB2 EFI image. install -d %{buildroot}/boot/efi/EFI/BOOT sed -e "s,@@VERSION@@,%{version},g" \ -e "s,@@VERSION_RELEASE@@,%{version}-%{release},g" \ -e "s,@@GRUB_NICEOS_GEN@@,%{grub_niceos_generation},g" \ %{SOURCE2} > grub-sbat.csv %ifarch x86_64 efi_platform=x86_64-efi efi_output=grubx64.efi efi_modules="fat iso9660 part_gpt part_msdos normal boot linux configfile loopback chain efifwsetup efi_gop efi_uga ls search search_label search_fs_uuid search_fs_file gfxterm gfxterm_background test all_video loadenv exfat ext2 udf halt gfxmenu png tga lsefi help probe echo lvm" efi_config_arg= %else %ifarch aarch64 efi_platform=arm64-efi efi_output=bootaa64.efi efi_modules="fat iso9660 part_gpt part_msdos normal boot linux configfile loopback chain efifwsetup efi_gop efinet ls search search_label search_fs_uuid search_fs_file gfxterm gfxterm_background test all_video loadenv exfat ext2 udf halt gfxmenu png tga lsefi help probe echo" cat > grub-embed-config.cfg << EOF search.fs_label rootfs root configfile /boot/grub2/grub.cfg EOF efi_config_arg="-c grub-embed-config.cfg" %else echo "ERROR: unsupported EFI architecture: %{_arch}" >&2 exit 1 %endif %endif test -f "./install-for-efi/%{_libdir}/grub/${efi_platform}/moddep.lst" || { echo "ERROR: missing GRUB EFI platform directory or moddep.lst: ${efi_platform}" >&2 echo "Available GRUB module directories:" >&2 find ./install-for-efi/%{_libdir}/grub -maxdepth 2 -name moddep.lst -print >&2 || true exit 1 } for m in ${efi_modules}; do test -f "./install-for-efi/%{_libdir}/grub/${efi_platform}/${m}.mod" || { echo "ERROR: missing GRUB module for ${efi_platform}: ${m}.mod" >&2 exit 1 } done ./install-for-efi/%{_bindir}/grub2-mkimage \ -d "./install-for-efi/%{_libdir}/grub/${efi_platform}/" \ -o "%{buildroot}/boot/efi/EFI/BOOT/${efi_output}" \ -p /boot/grub2 \ -O "${efi_platform}" \ ${efi_config_arg} \ --sbat=grub-sbat.csv \ ${efi_modules} # RU: Подпись EFI-образа для Secure Boot. # EN: Sign EFI image for Secure Boot. : "${NICEOS_KERNEL_SIGNING_KEY:?NICEOS_KERNEL_SIGNING_KEY is not set}" test -r "$NICEOS_KERNEL_SIGNING_KEY" secureboot_cert=%{SOURCE3} if openssl x509 -in "$secureboot_cert" -noout >/dev/null 2>&1; then secureboot_cert_pem="$secureboot_cert" else openssl x509 -inform DER -in "$secureboot_cert" -out secureboot-signing.pem secureboot_cert_pem=secureboot-signing.pem fi mv "%{buildroot}/boot/efi/EFI/BOOT/${efi_output}" \ "%{buildroot}/boot/efi/EFI/BOOT/${efi_output}.unsigned" sbsign \ --key "$NICEOS_KERNEL_SIGNING_KEY" \ --cert "$secureboot_cert_pem" \ --output "%{buildroot}/boot/efi/EFI/BOOT/${efi_output}" \ "%{buildroot}/boot/efi/EFI/BOOT/${efi_output}.unsigned" sbverify --list "%{buildroot}/boot/efi/EFI/BOOT/${efi_output}" rm -f "%{buildroot}/boot/efi/EFI/BOOT/${efi_output}.unsigned" mkdir -p %{buildroot}%{_datadir}/bash-completion/completions if [ -d %{buildroot}%{_sysconfdir}/bash_completion.d ]; then if compgen -G "%{buildroot}%{_sysconfdir}/bash_completion.d/*" > /dev/null; then mv -v %{buildroot}%{_sysconfdir}/bash_completion.d/* \ %{buildroot}%{_datadir}/bash-completion/completions/ fi rmdir %{buildroot}%{_sysconfdir}/bash_completion.d 2>/dev/null || true fi %files %defattr(-,root,root,-) %dir %{_sysconfdir}/grub.d %config %{_sysconfdir}/grub.d/00_header %config %{_sysconfdir}/grub.d/10_linux %config %{_sysconfdir}/grub.d/20_linux_xen %config %{_sysconfdir}/grub.d/30_os-prober %config %{_sysconfdir}/grub.d/30_uefi-firmware %config(noreplace) %{_sysconfdir}/grub.d/40_custom %config(noreplace) %{_sysconfdir}/grub.d/41_custom %{_sysconfdir}/grub.d/README %if %{without bootstrap} %{_mandir}/man1/* %{_mandir}/man8/* %endif %{_bindir}/grub2-protect %{_bindir}/grub2-editenv %{_bindir}/grub2-file %{_bindir}/grub2-fstest %{_bindir}/grub2-glue-efi %{_bindir}/grub2-kbdcomp %{_bindir}/grub2-menulst2cfg %{_bindir}/grub2-mkfont %{_bindir}/grub2-mkimage %{_bindir}/grub2-mklayout %{_bindir}/grub2-mknetdir %{_bindir}/grub2-mkpasswd-pbkdf2 %{_bindir}/grub2-mkrelpath %{_bindir}/grub2-mkrescue %{_bindir}/grub2-mkstandalone %{_bindir}/grub2-mount %{_bindir}/grub2-render-label %{_bindir}/grub2-script-check %{_bindir}/grub2-syslinux2cfg %{_sbindir}/grub2-bios-setup %{_sbindir}/grub2-install %{_sbindir}/grub2-macbless %{_sbindir}/grub2-mkconfig %{_sbindir}/grub2-ofpathname %{_sbindir}/grub2-probe %{_sbindir}/grub2-reboot %{_sbindir}/grub2-set-default %{_sbindir}/grub2-sparc64-setup %{_datadir}/bash-completion/completions/* %{_datadir}/grub/* %ghost %config(noreplace) /boot/%{name}/grub.cfg %{_sysconfdir}/grub.d/25_bli %{_datadir}/locale/*/LC_MESSAGES/grub.mo %ifarch x86_64 %files -n %{name}-pc %defattr(-,root,root,-) %{_libdir}/grub/i386-pc %endif %files -n %{name}-efi %defattr(-,root,root,-) %ifarch x86_64 %{_libdir}/grub/x86_64-efi %endif %ifarch aarch64 %{_libdir}/grub/* %endif %files -n %{name}-emu %defattr(-,root,root,-) %{_bindir}/%{name}-emu %{_bindir}/%{name}-emu-lite %{_libdir}/grub/*-emu %files -n %{name}-efi-image %defattr(-,root,root,-) /boot/efi/EFI/BOOT/* %changelog * Tue May 26 2026 NiceOS Team - 2.14-1 - BUMP to 2.14 - Backport GRUB2 security fixes for HFS, squash4, UDF, and gettext issues (CVE-2024-45782, CVE-2024-56737, CVE-2025-0678, CVE-2025-0689, CVE-2025-1125, CVE-2025-61662). - Reduce pre-boot memory-corruption and secure-boot bypass risk in grub2 modules and boot images. - Внедрены backport-исправления безопасности GRUB2 для ошибок в HFS, squash4, UDF и gettext (CVE-2024-45782, CVE-2024-56737, CVE-2025-0678, CVE-2025-0689, CVE-2025-1125, CVE-2025-61662). - Снижены риски повреждения памяти до загрузки ОС и обхода Secure Boot в модулях и загрузочных образах grub2. * Fri Jan 09 2026 NiceOS Team - 2.12-1 - Initial build for NiceOS (Первая сборка для НАЙС.ОС)