import from tagless source r8

08eea075 · Rocky Automation · 269e8777 · 08eea075 · 08eea075 · 08eea075
Commit 08eea075 authored 1 year ago by Rocky Automation
--- a/.gitignore
+++ b/.gitignore
 SOURCES/shim-15.6.tar.bz2
+SOURCES/shim-15.8.tar.bz2
--- a/.shim-unsigned-x64.metadata
+++ b/.shim-unsigned-x64.metadata
-3df0ab5cefc74fdf865cb36aea0e923cb4b6b3ed SOURCES/shim-15.6.tar.bz2
+a79f0a9b89f3681ab384865b1a46ab3f79d88b11b4ca59aa040ab03fffae80a9 SOURCES/shim-15.8.tar.bz2
--- a/SOURCES/sbat.rocky.csv
+++ b/SOURCES/sbat.rocky.csv
-shim.rocky,2,Rocky Linux,shim,15.6,security@rockylinux.org
+shim.rocky,2,Rocky Linux,shim,15.8,security@rockylinux.org
--- a/SPECS/shim-unsigned-x64.spec
+++ b/SPECS/shim-unsigned-x64.spec
@@ -16,37 +16,38 @@
 %global efialtarch ia32
 %global shimaltdir %{shimversiondir}/%{efialtarch}

-Name:                 shim-unsigned-%{efiarch}
-Version:              15.6
-Release:              1.el8
-Summary:              First-stage UEFI bootloader
-ExclusiveArch:        x86_64
-License:              BSD
-URL:                  https://github.com/rhboot/shim
-Source0:              https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
-# currently here's what's in our dbx:
-# nothing.
-Source2:              dbx.esl
-Source4:              shim.patches
-
-Source100:            shim-find-debuginfo.sh
-Source90000:          sbat.rocky.csv
-Source90001:          rocky-root-ca.der
-
+# currently here's what's in our dbx: nothing
+%global dbxfile %{nil}
+Name:		shim-unsigned-%{efiarch}
+Version:	15.8
+Release:	1%{?dist}
+Summary:	First-stage UEFI bootloader
+ExclusiveArch:	x86_64
+License:	BSD
+URL:		https://github.com/rhboot/shim
+Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
+%if 0%{?dbxfile}
+Source2:	%{dbxfile}
+%endif
+Source3:	sbat.rocky.csv
+Source4:	shim.patches
+
+Source100:	shim-find-debuginfo.sh

 %include %{SOURCE4}

-BuildRequires:        gcc make
-BuildRequires:        elfutils-libelf-devel
-BuildRequires:        git openssl-devel openssl
-BuildRequires:        pesign >= %{pesign_vre}
-BuildRequires:        dos2unix findutils
+BuildRequires:	gcc make
+BuildRequires:	elfutils-libelf-devel
+BuildRequires:	git openssl-devel openssl
+BuildRequires:	pesign >= %{pesign_vre}
+BuildRequires:	dos2unix findutils
+BuildRequires:  system-sb-certs

 # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
 # compatible with SysV (there's no red zone under UEFI) and there isn't a
 # POSIX-style C library.
 # BuildRequires:	OpenSSL
-Provides:             bundled(openssl) = %{openssl_vre}
+Provides:	bundled(openssl) = %{openssl_vre}

 %global desc \
 Initial UEFI bootloader that handles chaining to a trusted full \
@@ -60,37 +61,37 @@ use this package or when debugging this package.
 %desc

 %package -n shim-unsigned-%{efialtarch}
-Summary:              First-stage UEFI bootloader (unsigned data)
-Provides:             bundled(openssl) = %{openssl_vre}
+Summary:	First-stage UEFI bootloader (unsigned data)
+Provides:	bundled(openssl) = %{openssl_vre}

 %description -n shim-unsigned-%{efialtarch}
 %desc

 %package debuginfo
-Summary:              Debug information for shim-unsigned-%{efiarch}
-Requires:             %{name}-debugsource = %{version}-%{release}
-Group:                Development/Debug
-AutoReqProv:          0
-BuildArch:            noarch
+Summary:	Debug information for shim-unsigned-%{efiarch}
+Requires:	%{name}-debugsource = %{version}-%{release}
+Group:		Development/Debug
+AutoReqProv:	0
+BuildArch:	noarch

 %description debuginfo
 %debug_desc

 %package -n shim-unsigned-%{efialtarch}-debuginfo
-Summary:              Debug information for shim-unsigned-%{efialtarch}
-Group:                Development/Debug
-Requires:             %{name}-debugsource = %{version}-%{release}
-AutoReqProv:          0
-BuildArch:            noarch
+Summary:	Debug information for shim-unsigned-%{efialtarch}
+Group:		Development/Debug
+Requires:	%{name}-debugsource = %{version}-%{release}
+AutoReqProv:	0
+BuildArch:	noarch

 %description -n shim-unsigned-%{efialtarch}-debuginfo
 %debug_desc

 %package debugsource
-Summary:              Debug Source for shim-unsigned
-Group:                Development/Debug
-AutoReqProv:          0
-BuildArch:            noarch
+Summary:	Debug Source for shim-unsigned
+Group:		Development/Debug
+AutoReqProv:	0
+BuildArch:	noarch

 %description debugsource
 %debug_desc
@@ -101,20 +102,23 @@ git config --unset user.email
 git config --unset user.name
 mkdir build-%{efiarch}
 mkdir build-%{efialtarch}
-cp %{SOURCE90000} data/
+cp %{SOURCE3} data/

 %build
 COMMITID=$(cat commit)
 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_SHIM_HASH=true "
+MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
 MAKEFLAGS+="%{_smp_mflags}"
-if [ -s "%{SOURCE90001}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE90001}"
+if [ -f "/etc/pki/sb-certs/secureboot-ca-x86_64.cer" ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=/etc/pki/sb-certs/secureboot-ca-x86_64.cer"
 fi
-if [ -s "%{SOURCE2}" ]; then
+%if 0%{?dbxfile}
+if [ -f "%{SOURCE2}" ]; then
 	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
+%endif

 cd build-%{efiarch}
 make ${MAKEFLAGS} \
@@ -133,12 +137,15 @@ COMMITID=$(cat commit)
 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
-if [ -s "%{SOURCE90001}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE90001}"
+MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
+if [ -f "/etc/pki/sb-certs/secureboot-ca-x86_64.cer" ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=/etc/pki/sb-certs/secureboot-ca-x86_64.cer"
 fi
-if [ -s "%{SOURCE2}" ]; then
+%if 0%{?dbxfile}
+if [ -f "%{SOURCE2}" ]; then
 	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
+%endif

 cd build-%{efiarch}
 make ${MAKEFLAGS} \
@@ -179,98 +186,5 @@ cd ..
 %files debugsource -f build-%{efiarch}/debugsource.list

 %changelog
-* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
- shim 15.6
-
-* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
- Remove main branch
-
-* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
- Adding more patches based on review board feedback https://github.com/rhboot/shim-review/issues/194#issuecomment-894187000 and cherry-pick patches for shim-reivew git 15.4..4583db41ea58195956d4cdf97c43a195939f906b
-
-* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
- cherry-pick patches for shim-reivew git 15.4..4d64389c6c941d21548b06423b8131c872e3c3c7 and bump version to .1.2
-
-* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
- cherry-pick patches for shim-reivew git format-patch 15.4..9f973e4e95b1136b8c98051dbbdb1773072cc998
-
-* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
- Adding prod certs
-
-* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
- Updating Rocky test CA
-
-* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
- Adding Rocky testing CA
-
-* Tue Aug 16 2022 Louis Abel <label@rockylinux.org> - 15.6-1
- Debranding work for shim-unsigned
-
-* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el8
- Update to shim-15.6
-  Resolves: CVE-2022-28737
-
-* Thu Sep 17 2020 Peter Jones <pjones@redhat.com> - 15-9.el8
- Fix an incorrect allocation size.
-  Related: rhbz#1877253
-
-* Thu Jul 30 2020 Peter Jones <pjones@redhat.com> - 15-8
- Fix a load-address-dependent forever loop.
-  Resolves: rhbz#1861977
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
-  Related: CVE-2020-15705
-  Related: CVE-2020-15706
-  Related: CVE-2020-15707
-
-* Sat Jul 25 2020 Peter Jones <pjones@redhat.com> - 15-7
- Implement Lenny's workaround
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
-
-* Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 15-5
- Once more with the MokListRT config table patch added.
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
-
-* Thu Jul 23 2020 Peter Jones <pjones@redhat.com> - 15-4
- Rebuild for bug fixes and new signing keys
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
-
-* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3
- Make EFI variable copying fatal only on secureboot enabled systems
-  Resolves: rhbz#1715878
- Fix booting shim from an EFI shell using a relative path
-  Resolves: rhbz#1717064
-
-* Tue Feb 12 2019 Peter Jones <pjones@redhat.com> - 15-2
- Fix MoK mirroring issue which breaks kdump without intervention
-  Related: rhbz#1668966
-
-* Fri Jul 20 2018 Peter Jones <pjones@redhat.com> - 15-1
- Update to shim 15
-
-* Tue Sep 19 2017 Peter Jones <pjones@redhat.com> - 13-3
- Actually update to the *real* 13 final.
-  Related: rhbz#1489604
-
-* Thu Aug 31 2017 Peter Jones <pjones@redhat.com> - 13-2
- Actually update to 13 final.
-
-* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-1
- Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one.
- This will (eventually) supersede what's in the "shim" package so we can
-  make "shim" hold the signed one, which will confuse fewer people.
+* Mon Feb 12 2024 Louis Abel <label@resf.org> - 15.8-1
+- Update to shim-15.8