flatcar · chewi · Nov 8, 2024 · Oct 3, 2024 · Oct 24, 2024
diff --git a/changelog/changes/2024-11-06-grub-2.12-flatcar3.md b/changelog/changes/2024-11-06-grub-2.12-flatcar3.md
@@ -0,0 +1 @@
+- grub 2.12-flatcar3: GRUB now includes many patches from Red Hat to support Secure Boot, as well as Flatcar's own patches. The version string includes a numbered "flatcar" suffix to track changes to these additional patches. This string can be seen in the GRUB menu. ([scripts#2431](https://github.com/flatcar/scripts/pull/2431))
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-boot/grub b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-boot/grub
@@ -1,7 +1,11 @@
-# Bump the flatcar version stated here every time we or Gentoo change patches
+# Bump the flatcar version stated here every time we or Red Hat change patches
 # that modify parts of GRUB that are installed to the boot partition. Reset the
 # version back to 1 when the upstream GRUB version changes.
-FLATCAR_VERSION=flatcar2
+FLATCAR_VERSION=flatcar3
+
+# Gentoo's patches conflict with Red Hat's patches, and none of Gentoo's patches
+# affect Flatcar, so skip them all.
+PATCHES=()
 
 # Adjust the version string for Flatcar. This propagates throughout the source.
 cros_pre_src_prepare_adjust_version() {

diff --git a/...iner/src/third_party/coreos-overlay/coreos/user-patches/sys-boot/grub/README.md b/...iner/src/third_party/coreos-overlay/coreos/user-patches/sys-boot/grub/README.md
@@ -15,6 +15,29 @@ to use a separate repo was scrapped, and two patch files were created. The patch
 files migrated only the essential commits, and dropped all the other commits, which
 were either half-baked, or redundant at the point of migration.
 
+From version 2.12, Flatcar has adopted Red Hat's large patch set. This fixes
+Secure Boot on arm64 and the TPM Event Log on amd64, among many other things.
+
+A further two patches are applied on top. One is for additional GPT
+functionality, and the other is for extracting the verity root hash from the
+initrd. Gentoo's upstream ebuild is used, but Gentoo's patches are discarded
+because they conflict and are not relevant to Flatcar.
+
+Finally, another patch is applied to fix the fallback mechanism, which was
+accidentally broken by Red Hat's patches. This has been submitted to Red Hat in
+[rhboot/grub2#195](https://github.com/rhboot/grub2/pull/195). It will hopefully
+be merged soon.
+
+## How to import the Red Hat patches
+
+Red Hat maintains a fork of GRUB on GitHub with branches for each Fedora release. Generate a diff between the latest upstream release and the latest Fedora branch.
+
+```
+git clone https://github.com/rhboot/grub2.git grub
+cd grub
+git diff grub-<VERSION>..fedora-<VERSION> -- . ':(exclude).gitignore' ':(exclude)bootstrap.conf' > grub-2.12-00-redhat.patch
+```
+
 ## Summary of the Flatcar patches
 
 The patch starts with adding a new implementation of reading the GPT instead
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- grub 2.12-flatcar3: GRUB now includes many patches from Red Hat to support Secure Boot, as well as Flatcar's own patches. The version string includes a numbered "flatcar" suffix to track changes to these additional patches. This string can be seen in the GRUB menu. ([scripts#2431](https://github.com/flatcar/scripts/pull/2431))