Skip to content
Snippets Groups Projects
Commit 269e8777 authored by Rocky Automation's avatar Rocky Automation :tv:
Browse files

import shim-unsigned-x64-15.6-1.el8

parent 9f4f0903
No related branches found
No related tags found
No related merge requests found
SOURCES/shim-15.4.tar.bz2
SOURCES/shim-15.6.tar.bz2
d70485792a300bfa66f551adf7ae766451dfe7c0 SOURCES/shim-15.4.tar.bz2
3df0ab5cefc74fdf865cb36aea0e923cb4b6b3ed SOURCES/shim-15.6.tar.bz2
shim.rocky,1,Rocky Linux,shim,15.4-4,security@rockylinux.org
shim.rocky,2,Rocky Linux,shim,15.6,security@rockylinux.org
......@@ -20,9 +20,9 @@ fi
findsource()
{
(
cd "${RPM_BUILD_ROOT}"
find usr/src/debug/ -type d | sed -e "s,^,%dir /," | sort -u | tac
find usr/src/debug/ -type f | sed -e "s,^,/," | sort -u | tac
cd ${RPM_BUILD_ROOT}
find usr/src/debug/ -type d | sed "s,^,%dir /,"
find usr/src/debug/ -type f | sed "s,^,/,"
)
}
......@@ -32,12 +32,9 @@ finddebug()
declare -a dirs=()
declare -a files=()
declare -a excludes=()
declare -a tmp=()
pushd "${RPM_BUILD_ROOT}" >/dev/null 2>&1
mapfile -t tmp < <(find usr/lib/debug/ -type f -iname "*.efi.debug")
for x in "${tmp[@]}" ; do
pushd ${RPM_BUILD_ROOT} >/dev/null 2>&1
for x in $(find usr/lib/debug/ -type f -iname *.efi.debug); do
if ! [ -e "${x}" ]; then
break
fi
......@@ -60,10 +57,8 @@ finddebug()
excludes[${#excludes[@]}]=${x%%.debug}
fi
done
for x in "${files[@]}" ; do
declare name
name=$(dirname "/${x}")
for x in ${files[@]} ; do
declare name=$(dirname /${x})
while [ "${name}" != "/" ]; do
case "${name}" in
"/usr/lib/debug"|"/usr/lib"|"/usr")
......@@ -72,24 +67,24 @@ finddebug()
dirs[${#dirs[@]}]=${name}
;;
esac
name=$(dirname "${name}")
name=$(dirname ${name})
done
done
popd >/dev/null 2>&1
for x in "${dirs[@]}" ; do
for x in ${dirs[@]} ; do
echo "%dir ${x}"
done | sort | uniq
for x in "${files[@]}" ; do
for x in ${files[@]} ; do
echo "/${x}"
done | sort | uniq
for x in "${excludes[@]}" ; do
for x in ${excludes[@]} ; do
echo "%exclude /${x}"
done
}
findsource > "build-${mainarch}/debugsource.list"
finddebug "${mainarch}" > "build-${mainarch}/debugfiles.list"
findsource > build-${mainarch}/debugsource.list
finddebug ${mainarch} > build-${mainarch}/debugfiles.list
if [ -v altarch ]; then
finddebug "${altarch}" > "build-${altarch}/debugfiles.list"
finddebug ${altarch} > build-${altarch}/debugfiles.list
fi
%global pesign_vre 0.106-1
%global gnuefi_vre 1:3.0.5-6
%global openssl_vre 1.0.2j
%global debug_package %{nil}
%global __debug_package 1
%global _binaries_in_noarch_packages_terminate_build 0
%global __debug_install_post %{SOURCE100} x64 ia32
%undefine _debuginfo_subpackages
%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/rocky/'))
%global shimrootdir %{_datadir}/shim/
%global shimversiondir %{shimrootdir}/%{version}-%{release}
......@@ -9,62 +16,25 @@
%global efialtarch ia32
%global shimaltdir %{shimversiondir}/%{efialtarch}
%global debug_package %{nil}
%global __debug_package 1
%global _binaries_in_noarch_packages_terminate_build 0
%global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch}
%undefine _debuginfo_subpackages
# currently here's what's in our dbx: nothing
%global dbxfile %{nil}
Name: shim-unsigned-%{efiarch}
Version: 15.4
Release: 4%{?dist}
Version: 15.6
Release: 1.el8
Summary: First-stage UEFI bootloader
ExclusiveArch: x86_64
License: BSD
URL: https://github.com/rhboot/shim
Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
%if 0%{?dbxfile}
Source2: %{dbxfile}
%endif
# currently here's what's in our dbx:
# nothing.
Source2: dbx.esl
Source4: shim.patches
Source100: shim-find-debuginfo.sh
Source90000: sbat.rocky.csv
Source90001: rocky-root-ca.der
Patch2: 0001-Fix-handling-of-ignore_db-and-user_insecure_mode.patch
Patch3: 0002-shim-15.4-branch-update-.gitmodules-to-point-at-shim.patch
Patch4: 0003-Fix-a-broken-file-header-on-ia32.patch
Patch5: 0004-mok-allocate-MOK-config-table-as-BootServicesData.patch
Patch6: 0005-Don-t-call-QueryVariableInfo-on-EFI-1.10-machines.patch
Patch7: 0006-Post-process-our-PE-to-be-sure.patch
Patch8: 0007-Relax-the-check-for-import_mok_state.patch
Patch9: 0008-SBAT.md-trivial-fixes.patch
Patch10: 0009-SBAT.md-fix-will-should.patch
Patch11: 0010-shim-another-attempt-to-fix-load-options-handling.patch
Patch12: 0011-.gitignore-ignore-.gdb-not-just-.gdbinit.patch
Patch13: 0012-shim-rename-pause-to-wait_for_debug.patch
Patch14: 0013-test.h-make-some-of-the-asserts-a-little-more-friend.patch
Patch15: 0014-test.h-add-some-decls-for-some-of-the-stuff-in-efili.patch
Patch16: 0015-test.c-Conditionally-do-not-declare-stuff-that-s-in-.patch
Patch17: 0016-Make-test-cases-link-against-libefi.a.patch
Patch18: 0017-test.c-add-some-simple-mock-functions-for-BS-Allocat.patch
Patch19: 0018-test.h-add-assert_not_equal_.patch
Patch20: 0019-test-Add-a-basic-traceback-printer.patch
Patch21: 0020-shim-move-the-bulk-of-set_second_stage-to-its-own-fi.patch
Patch22: 0021-Add-a-tester-for-parse_load_options.patch
Patch23: 0022-shim-don-t-fail-on-the-odd-LoadOptions-length.patch
Patch24: 0023-arm-aa64-fix-the-size-of-.rela-sections.patch
Patch25: 0024-mok-fix-potential-buffer-overrun-in-import_mok_state.patch
Patch26: 0025-mok-relax-the-maximum-variable-size-check.patch
Patch27: 0026-Don-t-unhook-ExitBootServices-when-EBS-protection-is.patch
Patch28: PR393-1.patch
Patch29: PR393-2.patch
Patch30: PR396.patch
Patch31: PR399-1.patch
Patch32: PR399-2.patch
%include %{SOURCE4}
BuildRequires: gcc make
BuildRequires: elfutils-libelf-devel
......@@ -98,6 +68,7 @@ Provides: bundled(openssl) = %{openssl_vre}
%package debuginfo
Summary: Debug information for shim-unsigned-%{efiarch}
Requires: %{name}-debugsource = %{version}-%{release}
Group: Development/Debug
AutoReqProv: 0
BuildArch: noarch
......@@ -108,6 +79,7 @@ BuildArch: noarch
%package -n shim-unsigned-%{efialtarch}-debuginfo
Summary: Debug information for shim-unsigned-%{efialtarch}
Group: Development/Debug
Requires: %{name}-debugsource = %{version}-%{release}
AutoReqProv: 0
BuildArch: noarch
......@@ -124,7 +96,7 @@ BuildArch: noarch
%debug_desc
%prep
%autosetup -S git -n shim-%{version}
%autosetup -S git_am -n shim-%{version}
git config --unset user.email
git config --unset user.name
mkdir build-%{efiarch}
......@@ -137,14 +109,12 @@ MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
MAKEFLAGS+="ENABLE_SHIM_HASH=true "
MAKEFLAGS+="%{_smp_mflags}"
if [ -f "%{SOURCE90001}" ]; then
if [ -s "%{SOURCE90001}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE90001}"
fi
%if 0%{?dbxfile}
if [ -f "%{SOURCE2}" ]; then
if [ -s "%{SOURCE2}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
fi
%endif
cd build-%{efiarch}
make ${MAKEFLAGS} \
......@@ -153,8 +123,7 @@ make ${MAKEFLAGS} \
cd ..
cd build-%{efialtarch}
setarch linux32 -B make ${MAKEFLAGS} \
ARCH=%{efialtarch} \
setarch linux32 -B make ${MAKEFLAGS} ARCH=%{efialtarch} \
DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
all
cd ..
......@@ -163,15 +132,13 @@ cd ..
COMMITID=$(cat commit)
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
MAKEFLAGS+="ENABLE_SHIM_HASH=true "
if [ -f "%{SOURCE90001}" ]; then
MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
if [ -s "%{SOURCE90001}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE90001}"
fi
%if 0%{?dbxfile}
if [ -f "%{SOURCE2}" ]; then
if [ -s "%{SOURCE2}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
fi
%endif
cd build-%{efiarch}
make ${MAKEFLAGS} \
......@@ -181,8 +148,7 @@ make ${MAKEFLAGS} \
cd ..
cd build-%{efialtarch}
setarch linux32 make ${MAKEFLAGS} \
ARCH=%{efialtarch} \
setarch linux32 make ${MAKEFLAGS} ARCH=%{efialtarch} \
DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
DESTDIR=${RPM_BUILD_ROOT} \
install-as-data install-debuginfo install-debugsource
......@@ -193,18 +159,18 @@ cd ..
%dir %{shimrootdir}
%dir %{shimversiondir}
%dir %{shimdir}
%{shimdir}/*.CSV
%{shimdir}/*.efi
%{shimdir}/*.hash
%{shimdir}/*.CSV
%files -n shim-unsigned-%{efialtarch}
%license COPYRIGHT
%dir %{shimrootdir}
%dir %{shimversiondir}
%dir %{shimaltdir}
%{shimaltdir}/*.CSV
%{shimaltdir}/*.efi
%{shimaltdir}/*.hash
%{shimaltdir}/*.CSV
%files debuginfo -f build-%{efiarch}/debugfiles.list
......@@ -213,87 +179,76 @@ cd ..
%files debugsource -f build-%{efiarch}/debugsource.list
%changelog
* Sun Nov 14 2021 Sherif Nagy <sherif@rockylinux.org> - 15.4-4
* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
- shim 15.6
* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
- Remove main branch
* Sun Nov 14 2021 Sherif Nagy <sherif@rockylinux.org> - 15.4-4
* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
- Adding more patches based on review board feedback https://github.com/rhboot/shim-review/issues/194#issuecomment-894187000 and cherry-pick patches for shim-reivew git 15.4..4583db41ea58195956d4cdf97c43a195939f906b
* Sun Nov 14 2021 Sherif Nagy <sherif@rockylinux.org> - 15.4-4
* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
- cherry-pick patches for shim-reivew git 15.4..4d64389c6c941d21548b06423b8131c872e3c3c7 and bump version to .1.2
* Sun Nov 14 2021 Sherif Nagy <sherif@rockylinux.org> - 15.4-4
* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
- cherry-pick patches for shim-reivew git format-patch 15.4..9f973e4e95b1136b8c98051dbbdb1773072cc998
* Sun Nov 14 2021 Sherif Nagy <sherif@rockylinux.org> - 15.4-4
* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
- Adding prod certs
* Sun Nov 14 2021 Sherif Nagy <sherif@rockylinux.org> - 15.4-4
* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
- Updating Rocky test CA
* Sun Nov 14 2021 Sherif Nagy <sherif@rockylinux.org> - 15.4-4
* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
- Adding Rocky testing CA
* Sun Nov 14 2021 Louis Abel <label@rockylinux.org> - 15.4-4
* Tue Aug 16 2022 Louis Abel <label@rockylinux.org> - 15.6-1
- Debranding work for shim-unsigned
* Thu Apr 01 2021 Peter Jones <pjones@redhat.com> - 15.4-4
- Fix the sbat data to actually match /this/ product.
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-3
- Build with the correct certificate trust list for this OS.
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-2
- Fix the ia32 build.
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Tue Mar 30 2021 Peter Jones <pjones@redhat.com> - 15.4-1
- Update to shim 15.4
- Support for revocations via the ".sbat" section and SBAT EFI variable
- A new unit test framework and a bunch of unit tests
- No external gnu-efi dependency
- Better CI
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Wed Mar 24 2021 Peter Jones <pjones@redhat.com> - 15.3-0~1
- Update to shim 15.3
- Support for revocations via the ".sbat" section and SBAT EFI variable
- A new unit test framework and a bunch of unit tests
- No external gnu-efi dependency
- Better CI
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el8
- Update to shim-15.6
Resolves: CVE-2022-28737
* Thu Sep 17 2020 Peter Jones <pjones@redhat.com> - 15-9.el8
- Fix an incorrect allocation size.
Related: rhbz#1877253
* Thu Jul 30 2020 Peter Jones <pjones@redhat.com> - 15-8
- Fix a load-address-dependent forever loop.
Resolves: rhbz#1861977
Related: CVE-2020-10713
Related: CVE-2020-14308
Related: CVE-2020-14309
Related: CVE-2020-14310
Related: CVE-2020-14311
Related: CVE-2020-15705
Related: CVE-2020-15706
Related: CVE-2020-15707
* Sat Jul 25 2020 Peter Jones <pjones@redhat.com> - 15-7
- Implement Lenny's workaround
Related: CVE-2020-10713
Related: CVE-2020-14308
Related: CVE-2020-14309
Related: CVE-2020-14310
Related: CVE-2020-14311
* Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 15-5
- Once more with the MokListRT config table patch added.
Related: CVE-2020-10713
Related: CVE-2020-14308
Related: CVE-2020-14309
Related: CVE-2020-14310
Related: CVE-2020-14311
* Thu Jul 23 2020 Peter Jones <pjones@redhat.com> - 15-4
- Rebuild for bug fixes and new signing keys
Related: CVE-2020-10713
Related: CVE-2020-14308
Related: CVE-2020-14309
Related: CVE-2020-14310
Related: CVE-2020-14311
* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3
- Make EFI variable copying fatal only on secureboot enabled systems
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment