-
Rocky Automation authoredRocky Automation authored
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
shim-unsigned-x64.spec 16.67 KiB
%global pesign_vre 0.106-1
%global openssl_vre 1.0.2j
%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/rocky/'))
%global shimrootdir %{_datadir}/shim/
%global shimversiondir %{shimrootdir}/%{version}-%{release}
%global efiarch x64
%global shimdir %{shimversiondir}/%{efiarch}
%global efialtarch ia32
%global shimaltdir %{shimversiondir}/%{efialtarch}
%global debug_package %{nil}
%global __debug_package 1
%global _binaries_in_noarch_packages_terminate_build 0
%global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch}
%undefine _debuginfo_subpackages
# currently here's what's in our dbx: nothing
%global dbxfile %{nil}
Name: shim-unsigned-%{efiarch}
Version: 15.4
Release: 4%{?dist}.1.3
Summary: First-stage UEFI bootloader
ExclusiveArch: x86_64
License: BSD
URL: https://github.com/rhboot/shim
Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
%if 0%{?dbxfile}
Source2: %{dbxfile}
%endif
Source100: shim-find-debuginfo.sh
Source90000: sbat.rocky.csv
Source90001: rocky-root-ca.der
Patch2: 0001-Fix-handling-of-ignore_db-and-user_insecure_mode.patch
Patch3: 0002-shim-15.4-branch-update-.gitmodules-to-point-at-shim.patch
Patch4: 0003-Fix-a-broken-file-header-on-ia32.patch
Patch5: 0004-mok-allocate-MOK-config-table-as-BootServicesData.patch
Patch6: 0005-Don-t-call-QueryVariableInfo-on-EFI-1.10-machines.patch
Patch7: 0006-Post-process-our-PE-to-be-sure.patch
Patch8: 0007-Relax-the-check-for-import_mok_state.patch
Patch9: 0008-SBAT.md-trivial-fixes.patch
Patch10: 0009-SBAT.md-fix-will-should.patch
Patch11: 0010-shim-another-attempt-to-fix-load-options-handling.patch
Patch12: 0011-.gitignore-ignore-.gdb-not-just-.gdbinit.patch
Patch13: 0012-shim-rename-pause-to-wait_for_debug.patch
Patch14: 0013-test.h-make-some-of-the-asserts-a-little-more-friend.patch
Patch15: 0014-test.h-add-some-decls-for-some-of-the-stuff-in-efili.patch
Patch16: 0015-test.c-Conditionally-do-not-declare-stuff-that-s-in-.patch
Patch17: 0016-Make-test-cases-link-against-libefi.a.patch
Patch18: 0017-test.c-add-some-simple-mock-functions-for-BS-Allocat.patch
Patch19: 0018-test.h-add-assert_not_equal_.patch
Patch20: 0019-test-Add-a-basic-traceback-printer.patch
Patch21: 0020-shim-move-the-bulk-of-set_second_stage-to-its-own-fi.patch
Patch22: 0021-Add-a-tester-for-parse_load_options.patch
Patch23: 0022-shim-don-t-fail-on-the-odd-LoadOptions-length.patch
Patch24: 0023-arm-aa64-fix-the-size-of-.rela-sections.patch
Patch25: 0024-mok-fix-potential-buffer-overrun-in-import_mok_state.patch
Patch26: 0025-mok-relax-the-maximum-variable-size-check.patch
Patch27: 0026-Don-t-unhook-ExitBootServices-when-EBS-protection-is.patch
Patch28: PR393-1.patch
Patch29: PR393-2.patch
Patch30: PR396.patch
Patch31: PR399-1.patch
Patch32: PR399-2.patch
BuildRequires: gcc make
BuildRequires: elfutils-libelf-develPatch0038: 0038-tpm-Define-EFI_VARIABLE_DATA_TREE-as-packed.patch
Patch0039: 0039-MokManager-console-mode-modification-for-hi-dpi-scre.patch
Patch0040: 0040-MokManager-avoid-Werror-address-of-packed-member.patch
Patch0041: 0041-tpm-Don-t-log-duplicate-identical-events.patch
Patch0042: 0042-Slightly-better-debugging-messages.patch
Patch0043: 0043-Actually-check-for-errors-from-set_second_stage.patch
Patch0044: 0044-translate_slashes-don-t-write-to-string-literals.patch
Patch0045: 0045-shim-Update-EFI_LOADED_IMAGE-with-the-second-stage-l.patch
Patch0046: 0046-tpm-Include-information-about-PE-COFF-images-in-the-.patch
Patch0047: 0047-Fix-the-license-on-our-buildid-extractor.patch
Patch0048: 0048-Update-README.tpm.patch
Patch0049: 0049-Check-PxeReplyReceived-as-fallback-in-netboot.patch
Patch0050: 0050-Remove-a-couple-of-incorrect-license-claims.patch
Patch0051: 0051-MokManager-fix-uninitialized-value.patch
Patch0052: 0052-Fix-some-volatile-usage-gcc-whines-about.patch
Patch0053: 0053-MokManager-fix-a-wrong-allocation-failure-check.patch
Patch0054: 0054-simple_file-fix-uninitialized-variable-unchecked-ret.patch
Patch0055: 0055-Fix-a-broken-tpm-type.patch
Patch0056: 0056-Make-cert.S-not-impossible-to-read.patch
Patch0057: 0057-Add-support-for-vendor_db-built-in-shim-authorized-l.patch
Patch0058: 0058-Handle-binaries-with-multiple-signatures.patch
Patch0059: 0059-Make-openssl-accept-the-right-set-of-KU-EKUs.patch
Patch0060: 0060-Improve-debug-output-some.patch
Patch0061: 0061-Also-use-a-config-table-to-mirror-mok-variables.patch
Patch0062: 0062-Implement-lennysz-s-suggestions-for-MokListRT.patch
Patch0063: 0063-hexdump.h-fix-arithmetic-error.patch
Patch0064: 0064-Fix-some-mokmanager-deletion-paths.patch
Patch0065: 0065-Fix-buffer-overrun-due-DEFAULT_LOADER-length-miscalc.patch
BuildRequires: elfutils-libelf-devel
BuildRequires: git openssl-devel openssl
BuildRequires: pesign >= %{pesign_vre}
BuildRequires: gnu-efi >= %{gnuefi_vre}
BuildRequires: gnu-efi-devel >= %{gnuefi_vre}
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
# compatible with SysV (there's no red zone under UEFI) and there isn't a
# POSIX-style C library.
# BuildRequires: OpenSSL
Provides: bundled(openssl) = %{openssl_vre}
%global desc \
Initial UEFI bootloader that handles chaining to a trusted full \
bootloader under secure boot environments.
%global debug_desc \
This package provides debug information for package %{expand: %%{name}} \
Debug information is useful when developing applications that \
use this package or when debugging this package.
%description
%desc
%package -n shim-unsigned-%{efialtarch}
Summary: First-stage UEFI bootloader (unsigned data)
Provides: bundled(openssl) = %{openssl_vre}
%description -n shim-unsigned-%{efialtarch}
%desc
%package debuginfo
Summary: Debug information for shim-unsigned-%{efiarch}
Requires: %{name}-debugsource = %{version}-%{release}
Group: Development/Debug
AutoReqProv: 0
BuildArch: noarch
%description debuginfo
%debug_desc
%package -n shim-unsigned-%{efialtarch}-debuginfoSummary: Debug information for shim-unsigned-%{efialtarch}
Group: Development/Debug
Requires: %{name}-debugsource = %{version}-%{release}
AutoReqProv: 0
BuildArch: noarch
%description -n shim-unsigned-%{efialtarch}-debuginfo
%debug_desc
%package debugsource
Summary: Debug Source for shim-unsigned
Group: Development/Debug
AutoReqProv: 0
BuildArch: noarch
%description debugsource
%debug_desc
%prep
%autosetup -S git -n shim-%{version}
git config --unset user.email
git config --unset user.name
mkdir build-%{efiarch}
mkdir build-%{efialtarch}
%build
COMMITID=$(cat commit)
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
MAKEFLAGS+="%{_smp_mflags}"
if [ -s "%{SOURCE1}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
fi
if [ -s "%{SOURCE2}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
fi
cd build-%{efiarch}
make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efiarch}.efi' all
cd ..
cd build-%{efialtarch}
setarch linux32 -B make ${MAKEFLAGS} ARCH=%{efialtarch} DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' all
cd ..
%install
COMMITID=$(cat commit)
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
if [ -s "%{SOURCE1}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
fi
if [ -s "%{SOURCE2}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
fi
cd build-%{efiarch}
make ${MAKEFLAGS} \
DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \
DESTDIR=${RPM_BUILD_ROOT} \
install-as-data install-debuginfo install-debugsource
cd ..
cd build-%{efialtarch}
setarch linux32 make ${MAKEFLAGS} ARCH=%{efialtarch} \
DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
DESTDIR=${RPM_BUILD_ROOT} \
install-as-data install-debuginfo install-debugsourcecd ..
%files
%license COPYRIGHT
%dir %{shimrootdir}
%dir %{shimversiondir}
%dir %{shimdir}
%{shimdir}/*.efi
%{shimdir}/*.hash
%files -n shim-unsigned-%{efialtarch}
%license COPYRIGHT
%dir %{shimrootdir}
%dir %{shimversiondir}
%dir %{shimaltdir}
%{shimaltdir}/*.efi
%{shimaltdir}/*.hash
%files debuginfo -f build-%{efiarch}/debugfiles.list
%files -n shim-unsigned-%{efialtarch}-debuginfo -f build-%{efialtarch}/debugfiles.list
%files debugsource -f build-%{efiarch}/debugsource.list
%changelog
* Wed Mar 10 2021 Sherif Nagy <sherif@disroot.org> - 15-9
- Adding Rocky testing CA
* Wed Mar 10 2021 Louis Abel <label@rockylinux.org> - 15-9
- Debranding work for shim-unsigned
* Thu Sep 17 2020 Peter Jones <pjones@redhat.com> - 15-9.el8
- Fix an incorrect allocation size.
Related: rhbz#1877253
* Thu Jul 30 2020 Peter Jones <pjones@redhat.com> - 15-8
- Fix a load-address-dependent forever loop.
Resolves: rhbz#1861977
Related: CVE-2020-10713
Related: CVE-2020-14308
Related: CVE-2020-14309
Related: CVE-2020-14310
Related: CVE-2020-14311
Related: CVE-2020-15705
Related: CVE-2020-15706
Related: CVE-2020-15707
* Sat Jul 25 2020 Peter Jones <pjones@redhat.com> - 15-7
- Implement Lenny's workaround
Related: CVE-2020-10713
Related: CVE-2020-14308
Related: CVE-2020-14309
Related: CVE-2020-14310
Related: CVE-2020-14311
* Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 15-5
- Once more with the MokListRT config table patch added.
Related: CVE-2020-10713
Related: CVE-2020-14308
Related: CVE-2020-14309
Related: CVE-2020-14310
Related: CVE-2020-14311
* Thu Jul 23 2020 Peter Jones <pjones@redhat.com> - 15-4
- Rebuild for bug fixes and new signing keys
Related: CVE-2020-10713
Related: CVE-2020-14308
Related: CVE-2020-14309
Related: CVE-2020-14310
Related: CVE-2020-14311
* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3
- Make EFI variable copying fatal only on secureboot enabled systems
Resolves: rhbz#1715878
- Fix booting shim from an EFI shell using a relative path
Resolves: rhbz#1717064
* Tue Feb 12 2019 Peter Jones <pjones@redhat.com> - 15-2
- Fix MoK mirroring issue which breaks kdump without intervention
Related: rhbz#1668966
* Fri Jul 20 2018 Peter Jones <pjones@redhat.com> - 15-1
- Update to shim 15
* Tue Sep 19 2017 Peter Jones <pjones@redhat.com> - 13-3
- Actually update to the *real* 13 final.
Related: rhbz#1489604
* Thu Aug 31 2017 Peter Jones <pjones@redhat.com> - 13-2
- Actually update to 13 final.
* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-1
- Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one.
- This will (eventually) supersede what's in the "shim" package so we can
make "shim" hold the signed one, which will confuse fewer people.