Commit 5ca9933a authored by Rocky Automation's avatar Rocky Automation 📺
Browse files

import shim-15.4-2.el8_1

parents
SOURCES/shimaa64.efi
SOURCES/shimia32.efi
SOURCES/shimx64.efi
8ab193ad7addd71e4a820081f36d47e5ef727d28 SOURCES/shimaa64.efi
d3178fb0a2d662e2457e4a5cd13d1224e2aac1c2 SOURCES/shimia32.efi
9fb692b46fc70fd07a9acbbabc8e1c50d0e9a481 SOURCES/shimx64.efi
Bshimaa64.efi,Red Hat Enterprise Linux,,This is the boot entry for Red Hat Enterprise Linux
Bshimia32.efi,Red Hat Enterprise Linux,,This is the boot entry for Red Hat Enterprise Linux
Bshimx64.efi,Red Hat Enterprise Linux,,This is the boot entry for Red Hat Enterprise Linux
%global debug_package %{nil}
%global __brp_mangle_shebangs_exclude_from_file %{expand:%{_builddir}/shim-%{efi_arch}-%{version}-%{release}.%{_target_cpu}-shebangs.txt}
%global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
%global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
%global bootcsvaa64 %{expand:%{SOURCE10}}
%global bootcsvia32 %{expand:%{SOURCE11}}
%global bootcsvx64 %{expand:%{SOURCE12}}
#%%global bootcsvarm %%{expand:%%{SOURCE13}}
%global shimefiaa64 %{expand:%{SOURCE20}}
%global shimefiia32 %{expand:%{SOURCE21}}
%global shimefix64 %{expand:%{SOURCE22}}
#%%global shimefiarm %%{expand:%%{SOURCE23}
%global shimveraa64 15-7.el8_1
%global shimveria32 15.4-4.el8_1
%global shimverx64 15.4-4.el8_1
#%%global shimverarm 15-1.el8
%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
%global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32
%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64
#%%global shimdirarm %%{_datadir}/shim/%%{shimverarm}/arm
%global unsignedaa64 shim-unsigned-aarch64
%global unsignedia32 shim-unsigned-ia32
%global unsignedx64 shim-unsigned-x64
#%%global unsignedarm shim-unsigned-arm
%global bootcsv %{expand:%{bootcsv%{efi_arch}}}
%global bootcsvalt %{expand:%{bootcsv%{?efi_alt_arch}}}
%global shimefi %{expand:%{shimefi%{efi_arch}}}
%global shimefialt %{expand:%{shimefi%{?efi_alt_arch}}}
%global shimver %{expand:%{shimver%{efi_arch}}}
%global shimveralt %{expand:%{shimver%{?efi_alt_arch}}}
%global shimdir %{expand:%{shimdir%{efi_arch}}}
%global shimdiralt %{expand:%{shimdir%{?efi_alt_arch}}}
%global unsignednone shim-unsigned-none
%global unsigned %{expand:%%{unsigned%{efi_arch}}}
%global unsignedalt %{expand:%%{unsigned%{efi_alt_arch}}}
%define define_pkg(a:p:) \
%{expand:%%package -n shim-%{-a*}} \
Summary: First-stage UEFI bootloader \
Requires: mokutil >= 1:0.3.0-1 \
Requires: efi-filesystem \
Provides: shim-signed-%{-a*} = %{version}-%{release} \
Requires: dbxtool >= 0.6-3 \
%{expand:%%if 0%%{-p*} \
Provides: shim = %{version}-%{release} \
Provides: shim-signed = %{version}-%{release} \
Obsoletes: shim-signed < %{version}-%{release} \
Obsoletes: shim < %{version}-%{release} \
%%endif} \
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI \
# is not compatible with SysV (there's no red zone under UEFI) and \
# there isn't a POSIX-style C library. \
# BuildRequires: OpenSSL \
Provides: bundled(openssl) = 1.0.2j \
\
%{expand:%%description -n shim-%{-a*}} \
Initial UEFI bootloader that handles chaining to a trusted full \
bootloader under secure boot environments. This package contains the \
version signed by the UEFI signing service. \
%{nil}
# -a <efiarch>
# -i <input>
%define hash(a:i:d:) \
pesign -i %{-i*} -h -P > shim.hash \
read file0 hash0 < shim.hash \
read file1 hash1 < %{-d*}/shim%{-a*}.hash \
if ! [ "$hash0" = "$hash1" ]; then \
echo Invalid signature\! > /dev/stderr \
echo $hash0 vs $hash1 \
exit 1 \
fi \
%{nil}
# -i <input>
# -o <output>
%define sign(i:o:n:a:c:) \
%{expand:%%pesign -s -i %{-i*} -o %{-o*} %{-n} %{-n*} %{-a} %{-a*} %{-c} %{-c*}} \
%{nil}
# -b <binary prefix>
# -a <efiarch>
# -i <input>
%define distrosign(b:a:d:) \
cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi \
%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n redhatsecureboot501 -a %{SOURCE2} -c %{SOURCE1} }\
%{nil}
# -a <efiarch>
# -A <EFIARCH>
# -b <1|0> # signed by this builder?
# -c <1|0> # signed by UEFI CA?
# -i <shimARCH.efi>
%define define_build(a:A:b:c:i:d:) \
if [ "%{-c*}" = "yes-temporarily-disabled-20180723" ]; then \
%{expand:%%hash -i %{-i*} -a %{-a*} -d %{-d*}} \
fi \
cp %{-i*} shim%{-a*}.efi \
if [ "%{-b*}" = "yes" ]; then \
%{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}} \
mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi \
fi \
if [ "%{-c*}" = "no" ]; then \
cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi \
fi \
%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}} \
mv mm%{-a*}-signed.efi mm%{-a*}.efi \
%{expand:%%distrosign -b fb -a %{-a*} -d %{-d*}} \
mv fb%{-a*}-signed.efi fb%{-a*}.efi \
rm -vf \\\
mm%{-a*}-unsigned.efi \\\
fb%{-a*}-unsigned.efi \\\
shim%{-a*}-unsigned.efi \
%{nil}
# -a <efiarch>
# -A <EFIARCH>
# -b <BOOTCSV>
%define do_install(a:A:b:) \
install -m 0700 shim%{-a*}.efi \\\
$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}.efi \
install -m 0700 shim%{-a*}-%{efi_vendor}.efi \\\
$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}-%{efi_vendor}.efi \
install -m 0700 mm%{-a*}.efi \\\
$RPM_BUILD_ROOT%{efi_esp_dir}/mm%{-a*}.efi \
install -m 0700 %{-b*} \\\
$RPM_BUILD_ROOT%{efi_esp_dir}/BOOT%{-A*}.CSV \
install -m 0700 shim%{-a*}.efi \\\
$RPM_BUILD_ROOT%{efi_esp_boot}/BOOT%{-A*}.EFI \
install -m 0700 fb%{-a*}.efi \\\
$RPM_BUILD_ROOT%{efi_esp_boot}/fb%{-a*}.efi \
%nil
# -a <efiarch>
# -A <EFIARCH>
%define define_files(a:A:) \
%{expand:%%files -n shim-%{-a*}} \
%{efi_esp_dir}/*%{-a*}*.efi \
%{efi_esp_dir}/BOOT%{-A*}.CSV \
%{efi_esp_boot}/*%{-a*}.efi \
%{efi_esp_boot}/*%{-A*}.EFI \
%{nil}
%ifarch x86_64
%global is_signed yes
%global is_alt_signed yes
%global provide_legacy_shim 1
%endif
%ifarch aarch64
%global is_signed no
%global is_alt_signed no
%global provide_legacy_shim 1
%endif
%ifnarch x86_64 aarch64
%global is_signed no
%global is_alt_signed no
%global provide_legacy_shim 0
%endif
%if ! 0%{?vendor:1}
%global vendor nopenopenope
%endif
# vim:filetype=rpmmacros
Name: shim
Version: 15.4
Release: 2%{?dist}
Summary: First-stage UEFI bootloader
License: BSD
URL: https://github.com/rhboot/shim/
BuildRequires: efi-filesystem
BuildRequires: efi-srpm-macros >= 3-2
ExclusiveArch: %{efi}
# but we don't build a .i686 package, just a shim-ia32.x86_64 package
ExcludeArch: %{ix86}
# and we don't have shim-unsigned-arm builds *yet*
ExcludeArch: %{arm}
Source0: shim.rpmmacros
Source1: redhatsecureboot501.cer
Source2: redhatsecurebootca5.cer
# keep these two lists of sources synched up arch-wise. That is 0 and 10
# match, 1 and 11 match, ...
Source10: BOOTAA64.CSV
Source20: shimaa64.efi
Source11: BOOTIA32.CSV
Source21: shimia32.efi
Source12: BOOTX64.CSV
Source22: shimx64.efi
#Source13: BOOTARM.CSV
#Source23: shimarm.efi
%include %{SOURCE0}
BuildRequires: pesign >= 0.112-20.fc27
# We need this because %%{efi} won't expand before choosing where to make
# the src.rpm in koji, and we could be on a non-efi architecture, in which
# case we won't have a valid expansion here... To be solved in the future
# (shim 16+) by making the unsigned packages all provide "shim-unsigned", so
# we can just BuildRequires that.
%ifarch x86_64
BuildRequires: %{unsignedx64} = %{shimverx64}
BuildRequires: %{unsignedia32} = %{shimveria32}
%endif
%ifarch aarch64
BuildRequires: %{unsignedaa64} = %{shimveraa64}
%endif
#%%ifarch arm
#BuildRequires: %%{unsignedarm} = %%{shimverarm}
#%%endif
%description
Initial UEFI bootloader that handles chaining to a trusted full bootloader
under secure boot environments. This package contains the version signed by
the UEFI signing service.
%define_pkg -a %{efi_arch} -p 1
%if %{efi_has_alt_arch}
%define_pkg -a %{efi_alt_arch}
%endif
%prep
cd %{_builddir}
rm -rf shim-%{version}
mkdir shim-%{version}
%build
cd shim-%{version}
%if %{efi_has_alt_arch}
%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{shimdiralt}
%endif
%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{shimdir}
%install
rm -rf $RPM_BUILD_ROOT
cd shim-%{version}
install -D -d -m 0755 $RPM_BUILD_ROOT/boot/
install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_root}/
install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_efi}/
install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_dir}/
install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_boot}/
%do_install -a %{efi_arch} -A %{efi_arch_upper} -b %{bootcsv}
%if %{efi_has_alt_arch}
%do_install -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -b %{bootcsvalt}
%endif
%if %{provide_legacy_shim}
install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
%endif
( cd $RPM_BUILD_ROOT ; find .%{efi_esp_root} -type f ) \
| sed -e 's/\./\^/' -e 's,^\\\./,.*/,' -e 's,$,$,' > %{__brp_mangle_shebangs_exclude_from_file}
%define_files -a %{efi_arch} -A %{efi_arch_upper}
%if %{efi_has_alt_arch}
%define_files -a %{efi_alt_arch} -A %{efi_alt_arch_upper}
%endif
%if %{provide_legacy_shim}
%{efi_esp_dir}/shim.efi
%endif
%changelog
* Tue Apr 06 2021 Peter Jones <pjones@redhat.com> - 15.4-2
- Fix build-deps on our shim-unsigned-* packages.
Related: CVE-2020-14372 (and others)
* Mon Apr 05 2021 Peter Jones <pjones@redhat.com> - 15.4-1
- Update to shim 15.4
- Support for revocations via the ".sbat" section and SBAT EFI variable
- A new unit test framework and a bunch of unit tests
- No external gnu-efi dependency
- Better CI
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Fri Jul 31 2020 Peter Jones <pjones@redhat.com> - 15-15
- Update once again for new signed shim builds.
Resolves: rhbz#1862231
* Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-14
- Get rid of our %%dist hack for now.
* Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-13
- New signing keys
Related: CVE-2020-10713
Related: CVE-2020-14308
Related: CVE-2020-14309
Related: CVE-2020-14310
Related: CVE-2020-14311
* Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-12
- Fix firmware update bug in aarch64 caused by shim ignoring arguments
- Fix a shim crash when attempting to netboot
* Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-11
- Update the shim-unsigned-aarch64 version number
Related: rhbz#1715879
* Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-10
- Add a gating.yaml file so the package can be properly gated
Related: rhbz#1681809
* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-9
- Bump the NVR
Related: rhbz#1715879
* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-7
- Make EFI variable copying fatal only on secureboot enabled systems
Resolves: rhbz#1715879
- Fix booting shim from an EFI shell using a relative path
Resolves: rhbz#1717061
* Thu Mar 14 2019 Peter Jones <pjones@redhat.com> - 15-6
- Fix MoK mirroring issue which breaks kdump without intervention
Resolves: rhbz#1668966
* Thu Jan 24 2019 Peter Jones <pjones@redhat.com> - 15-5
- Rebuild for signing once again. If the signer actually works, then:
Resolves: rhbz#1620941
* Tue Oct 16 2018 Peter Jones <pjones@redhat.com> - 15-4
- Rebuild for signing
Resolves: rhbz#1620941
* Mon Aug 13 2018 Troy Dawson <tdawson@redhat.com>
- Release Bumped for el8 Mass Rebuild
* Sat Aug 11 2018 Troy Dawson <tdawson@redhat.com>
- Release Bumped for el8+8 Mass Rebuild
* Mon Jul 23 2018 Peter Jones <pjones@redhat.com> - 15-1
- Build for RHEL 8
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment