From 3a37c7feed50cde3e2c5f619cb85c97a7c1b18d7 Mon Sep 17 00:00:00 2001
From: jmckenna <jason.mckenna@windriver.com>
Date: Fri, 6 Apr 2018 10:41:53 -0400
Subject: [PATCH] Uprev grub2 and shim

Uprev grub and shim packages to new versions.  The packages (grub
in particullar) went through a major restructuring, including
name change in output binary packages.  This commit updates
build tools and files to be aware of new names and handle the
new packages

Change-Id: I89636218bdb8e97d39e69e764ae376b643657f50
Depends-On: https://review.openstack.org/#/c/578440
---
 build-tools/build-iso                        |  9 ++++----
 build-tools/build-rpms-parallel              |  8 +++++--
 build-tools/build-rpms-serial                |  8 +++++--
 build-tools/build_iso/image.inc              |  4 +---
 build-tools/build_iso/minimal_rpm_list.txt   |  5 ++---
 build-tools/mk/_sign_pkgs.mk                 |  2 +-
 build-tools/patch-iso                        |  4 ++--
 build-tools/{sign-build => sign-secure-boot} | 22 +++++++++++++-------
 build-tools/update-efiboot-image             | 21 +++++++++++++++++--
 9 files changed, 56 insertions(+), 27 deletions(-)
 rename build-tools/{sign-build => sign-secure-boot} (95%)

diff --git a/build-tools/build-iso b/build-tools/build-iso
index 8677f838..18e0856b 100755
--- a/build-tools/build-iso
+++ b/build-tools/build-iso
@@ -296,8 +296,6 @@ function init_output_dir {
        perl -p -i -e "s/device=sda/device=${DEVICE}/g"  $OUTPUT_DIST_DIR/isolinux/isolinux.cfg
    fi
 
-
-
    # Copy UEFI files 
    \cp -L -ru $DISTRO_REPO_DIR/EFI/* $OUTPUT_DIST_DIR/isolinux/EFI/
    \cp -L $INTERNAL_REPO_ROOT/addons/wr-cgcs/layers/cgcs/mwa-beas/bsp-files/grub.cfg $OUTPUT_DIST_DIR/isolinux/EFI/BOOT/grub.cfg
@@ -357,7 +355,7 @@ function init_output_dir {
    if [ -f "$OUTPUT_DIR/efiboot.img" ]; then
 
       # The script update-efiboot-image was run outside the build-iso script, do nothing.
-      printf "  The image file $OUTPUT_DIR/efiboot.img already exist\n"
+      printf "  The image file $OUTPUT_DIR/efiboot.img already exists\n"
    else
       printf "  The image file $OUTPUT_DIR/efiboot.img does not exist \n"
       if [ ! -f "$INTERNAL_REPO_ROOT/build-tools/update-efiboot-image" ]; then
@@ -526,12 +524,13 @@ EOM
    \cd $WORKDIR
 
    extract_pkg_from_local_repo ${CGCS_REPO_DIR} pxe-network-installer
-   extract_pkg_from_local_repo ${CGCS_REPO_DIR} grub2-efi-pxeboot
+   extract_pkg_from_local_repo ${CGCS_REPO_DIR} grub2-efi-x64-pxeboot
+   extract_pkg_from_local_repo ${CGCS_REPO_DIR} grub2-efi-x64-modules
 
    \mkdir -p $OUTPUT_DIST_DIR/isolinux/pxeboot/EFI/centos/x86_64-efi
 
    \cp --preserve=all pxeboot/pxelinux.0 pxeboot/menu.c32 pxeboot/chain.c32 $OUTPUT_DIST_DIR/isolinux/pxeboot &&
-   \cp --preserve=all pxeboot/EFI/centos/x86_64-efi/* $OUTPUT_DIST_DIR/isolinux/pxeboot/EFI/centos/x86_64-efi/ &&
+   \cp --preserve=all usr/lib/grub/x86_64-efi/* $OUTPUT_DIST_DIR/isolinux/pxeboot/EFI/centos/x86_64-efi/ &&
    \cp --preserve=all pxeboot/EFI/grubx64.efi $OUTPUT_DIST_DIR/isolinux/pxeboot/EFI/
    if [ $? -ne 0 ]; then
       echo "Error: Could not copy all files from installer"
diff --git a/build-tools/build-rpms-parallel b/build-tools/build-rpms-parallel
index 4f922476..134388e6 100755
--- a/build-tools/build-rpms-parallel
+++ b/build-tools/build-rpms-parallel
@@ -54,6 +54,9 @@ SRPM_TO_RPM_MAP_FILE="$DEPENDANCY_DIR/srpm-to-rpm"
 UNBUILT_PATTERN_FILE="$MY_REPO/build-data/unbuilt_rpm_patterns"
 IMAGE_INC_FILE="$MY_REPO/build-tools/build_iso/image.inc"
 
+SIGN_SECURE_BOOT="sign-secure-boot"
+SIGN_SECURE_BOOT_LOG="sign-secure-boot.log"
+
 export MOCK=/usr/bin/mock
 
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
@@ -261,6 +264,7 @@ recreate_repodata () {
            \mv repodata/*comps*xml comps.xml
         fi
         \rm -rf repodata
+        \rm -rf .repodata
         if [ -f comps.xml ]; then
            $CREATEREPO -g comps.xml --workers $(number_of_cpus) $(pwd)
         else
@@ -2331,9 +2335,9 @@ if [ 0$FORMAL_BUILD -eq 1 ] && [ "$USER" == "jenkins" ]; then
 		echo "We are jenkins, and we are trying to do a formal build -- calling signing server"
 		echo "  to sign boot RPMs with secure boot keys"
 
-		MY_WORKSPACE=$MY_WORKSPACE_TOP sign-build > $MY_WORKSPACE_TOP/export/sign-build.log 2>&1
+		MY_WORKSPACE=$MY_WORKSPACE_TOP ${SIGN_SECURE_BOOT} > $MY_WORKSPACE_TOP/export/${SIGN_SECURE_BOOT_LOG} 2>&1
 		if [ $? -ne 0 ]; then
-			echo "Signing of packages failed -- see $MY_WORKSPACE_TOP/export/sign-build.log"
+			echo "Signing of packages failed -- see $MY_WORKSPACE_TOP/export/${SIGN_SECURE_BOOT_LOG}"
 			exit 1
 		fi
 	fi
diff --git a/build-tools/build-rpms-serial b/build-tools/build-rpms-serial
index b303ea05..0cf290bf 100755
--- a/build-tools/build-rpms-serial
+++ b/build-tools/build-rpms-serial
@@ -23,6 +23,9 @@ SRPM_TO_RPM_MAP_FILE="$DEPENDANCY_DIR/srpm-to-rpm"
 UNBUILT_PATTERN_FILE="$MY_REPO/build-data/unbuilt_rpm_patterns"
 IMAGE_INC_FILE="$MY_REPO/build-tools/build_iso/image.inc"
 
+SIGN_SECURE_BOOT="sign-secure-boot"
+SIGN_SECURE_BOOT_LOG="sign-secure-boot.log"
+
 export MOCK=/usr/bin/mock
 
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
@@ -56,6 +59,7 @@ recreate_repodata () {
            \mv repodata/*comps*xml comps.xml
         fi
         \rm -rf repodata
+        \rm -rf .repodata
         if [ -f comps.xml ]; then
            $CREATEREPO -g comps.xml --workers $(number_of_cpus) $(pwd)
         else
@@ -1316,9 +1320,9 @@ if [ 0$FORMAL_BUILD -eq 1 ] && [ "$USER" == "jenkins" ]; then
 		echo "We are jenkins, and we are trying to do a formal build -- calling signing server"
 		echo "  to sign boot RPMs with secure boot keys"
 
-		MY_WORKSPACE=$MY_WORKSPACE_TOP sign-build > $MY_WORKSPACE_TOP/export/sign-build.log 2>&1
+		MY_WORKSPACE=$MY_WORKSPACE_TOP ${SIGN_SECURE_BOOT} > $MY_WORKSPACE_TOP/export/${SIGN_SECURE_BOOT_LOG} 2>&1
 		if [ $? -ne 0 ]; then
-			echo "Signing of packages failed -- see $MY_WORKSPACE_TOP/export/sign-build.log"
+			echo "Signing of packages failed -- see $MY_WORKSPACE_TOP/export/${SIGN_SECURE_BOOT_LOG}.log"
 			exit 1
 		fi
 	fi
diff --git a/build-tools/build_iso/image.inc b/build-tools/build_iso/image.inc
index 7cffdf79..bef7aaf8 100644
--- a/build-tools/build_iso/image.inc
+++ b/build-tools/build_iso/image.inc
@@ -21,9 +21,7 @@ dpkg
 filesystem-scripts
 fm-api
 gdb
-grub2
-grub2-efi
-grub2-efi-modules
+grub2-efi-x64-modules
 grub2-tools
 haproxy
 io-monitor
diff --git a/build-tools/build_iso/minimal_rpm_list.txt b/build-tools/build_iso/minimal_rpm_list.txt
index 8dd533a6..04e17176 100644
--- a/build-tools/build_iso/minimal_rpm_list.txt
+++ b/build-tools/build_iso/minimal_rpm_list.txt
@@ -74,7 +74,7 @@ gpgme
 grep
 groff-base
 grub2
-grub2-efi
+grub2-efi-x64
 grub2-tools
 grubby
 gsettings-desktop-schemas
@@ -229,8 +229,7 @@ rpm-libs
 rpm-python
 sed
 shared-mime-info
-shim
-shim-unsigned
+shim-x64
 slang
 snappy
 sqlite
diff --git a/build-tools/mk/_sign_pkgs.mk b/build-tools/mk/_sign_pkgs.mk
index 48c3c419..aa92b0e8 100644
--- a/build-tools/mk/_sign_pkgs.mk
+++ b/build-tools/mk/_sign_pkgs.mk
@@ -9,7 +9,7 @@ PKGS_LIST := $(wildcard *.rpm)
 # we need to skip the signature of some packages that
 # might be installed in file systems that do not support extended attributes
 # in the case of shim- and grub2-efi-, the UEFI configuration installs them in a VFAT file system
-PKGS_TO_SKIP := $(wildcard grub2-efi-[0-9]*.x86_64.rpm shim-[0-9]*.x86_64.rpm)
+PKGS_TO_SKIP := $(wildcard grub2-efi-[0-9]*.x86_64.rpm grub2-efi-x64-[0-9]*.x86_64.rpm shim-[0-9]*.x86_64.rpm shim-x64-[0-9]*.x86_64.rpm shim-ia32-[0-9]*.x86_64)
 
 PKGS_TO_SIGN = $(filter-out $(PKGS_TO_SKIP),$(PKGS_LIST))
 
diff --git a/build-tools/patch-iso b/build-tools/patch-iso
index 47a8c1f2..3ead5974 100755
--- a/build-tools/patch-iso
+++ b/build-tools/patch-iso
@@ -259,13 +259,13 @@ fi
 
 \mkdir extract
 \cd extract
-extract_pkg_from_patch_repo grub2-efi-pxeboot
+extract_pkg_from_patch_repo grub2-x64-efi-pxeboot
 if [ $? -eq 0 ]; then
     # Replace files
     \rm -f ${BUILDDIR}/pxeboot/EFI/grubx64.efi &&
     \cp --preserve=all pxeboot/EFI/grubx64.efi ${BUILDDIR}/pxeboot/EFI/
     if [ $? -ne 0 ]; then
-        echo "Error: Failed to copy grub2-efi-pxeboot files"
+        echo "Error: Failed to copy grub2-x64-efi-pxeboot files"
         exit 1
     fi
 fi
diff --git a/build-tools/sign-build b/build-tools/sign-secure-boot
similarity index 95%
rename from build-tools/sign-build
rename to build-tools/sign-secure-boot
index ef496187..c4d00788 100755
--- a/build-tools/sign-build
+++ b/build-tools/sign-secure-boot
@@ -165,12 +165,19 @@ function update_repo
 	return $RETCODE
 }
 
-# sign_shims - find and sign any shim package that we need to
+# sign_shims - find and sign any shim package that we need
+#              Note that shim might produce a "shim-unsigned-[verison-release]
+#              package (old shim) or shim-unsigned-x64-[v-r] &
+#              shim-unsigned-ia32 package (new shim).  In the case of new shim,
+#              we must do x64 only, and not ia32.
 #
 function sign_shims
 {
-	SHIM=`find $MY_WORKSPACE/std/rpmbuild/RPMS -name "shim-unsigned-*.$ARCH.rpm" | grep -v debuginfo`
-	if [ "x${SHIM}" == "x" ]; then
+	SHIM=`find $MY_WORKSPACE/std/rpmbuild/RPMS -name "shim-unsigned-x64-*.$ARCH.rpm" | grep -v debuginfo`
+	if [ -z "$SHIM" ]; then
+		SHIM=`find $MY_WORKSPACE/std/rpmbuild/RPMS -name "shim-unsigned-*.$ARCH.rpm" | grep -v debuginfo`
+	fi
+	if [ -z "${SHIM}" ]; then
 	    echo "Warning -- cannot find shim package to sign"
 	    return 0
 	fi
@@ -186,8 +193,8 @@ function sign_shims
 #
 function sign_grubs
 {
-	GRUB=`find $MY_WORKSPACE/std/rpmbuild/RPMS -name "grub2-efi-[1-9]*.$ARCH.rpm"`
-	UNSIGNED_GRUB=`find $MY_WORKSPACE/std/rpmbuild/RPMS -name "grub2-efi-unsigned*.$ARCH.rpm"`
+	GRUB=`find $MY_WORKSPACE/std/rpmbuild/RPMS -name "grub2-efi-x64-[1-9]*.$ARCH.rpm"`
+	UNSIGNED_GRUB=`find $MY_WORKSPACE/std/rpmbuild/RPMS -name "grub2-efi-x64-unsigned*.$ARCH.rpm"`
 	if [ "x${GRUB}" == "x" ]; then
 	    echo "Warning -- cannot find GRUB package to sign"
 	    return 0
@@ -324,7 +331,8 @@ function sign
 	fi
 	
 	# upload the unsigned package (if specified)
-	if [ "x$UNSIGNED" != "x" ]; then	
+	if [ "x$UNSIGNED" != "x" ]; then
+		echo "Uploading unsigned: $UNSIGNED"
 		scp -q $UNSIGNED $SIGNING_USER@$SIGNING_SERVER:$UPLOAD_PATH
 		if [ $? -ne 0 ]; then
 			echo "Failed to upload file $UNSIGNED"
@@ -356,7 +364,7 @@ function sign
 	# and examine them later without them being overwriten.  File paths are
 	# typically of the form
 	#
-	# /export/signed_images/XXXXXXX_grub2-efi-2.02-0.44.el7.centos.tis.3.x86_64.rpm
+	# /export/signed_images/XXXXXXX_grub2-efi-64-2.02-0.44.el7.centos.tis.3.x86_64.rpm
 	#
 	# Extract the output name, and copy the RPM back into our system
 	# (Note that we overwrite our original version of the RPM)
diff --git a/build-tools/update-efiboot-image b/build-tools/update-efiboot-image
index 4c118c48..31e10bc3 100755
--- a/build-tools/update-efiboot-image
+++ b/build-tools/update-efiboot-image
@@ -62,6 +62,8 @@ function setup_env_vars  {
     fi
 }
 
+printf "  Calling $0\n"
+
 setup_env_vars
 
 printf "  Calling $(basename $0)\n"
@@ -136,8 +138,23 @@ ${SUDOPREFIX} cp $INTERNAL_REPO_ROOT/addons/wr-cgcs/layers/cgcs/mwa-beas/bsp-fil
 # To do this, we extract the RPMS, grab the two executables we need, and replace
 # the ones in the current filesystem
 TMPDIR=`mktemp -d`
-SHIMPKG=`find $MY_WORKSPACE/std/rpmbuild/RPMS/shim-[0-9]*.x86_64.rpm`
-GRUBPKG=`find $MY_WORKSPACE/std/rpmbuild/RPMS/grub2-efi-[0-9]*.x86_64.rpm`
+SHIMPKG=`find $MY_WORKSPACE/std/rpmbuild/RPMS/shim-x64-[0-9]*.x86_64.rpm`
+if [ -z "$SHIMPKG" ]; then
+    SHIMPKG=`find $MY_WORKSPACE/std/rpmbuild/RPMS/shim-[0-9]*.x86_64.rpm`
+fi
+if [ -z "$SHIMPKG" ]; then
+    printf "  Error -- could not locate shim binary package"
+    exit 1
+fi
+
+GRUBPKG=`find $MY_WORKSPACE/std/rpmbuild/RPMS/grub2-efi-x64-[0-9]*.x86_64.rpm`
+if [ -z "$GRUBPKG" ]; then
+    GRUBPKG=`find $MY_WORKSPACE/std/rpmbuild/RPMS/grub2-efi-[0-9]*.x86_64.rpm`
+fi
+if [ -z "$GRUBPKG" ]; then
+    printf "  Error -- could not locate grub binary package"
+    exit 1
+fi
 
 pushd $TMPDIR >/dev/null
 rpm2cpio $SHIMPKG | cpio -id --quiet