Re-enable secureboot enrollment

Follow Laszlo's suggestions from: https://bugzilla.redhat.com/show_bug.cgi?id=1701710#c12
2019-07-15 11:41:49 -04:00 · 2019-07-15 11:41:49 -04:00 · b9bff0b089
commit b9bff0b089
parent eb71155bd5
4 changed files with 46 additions and 8 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,3 +3,4 @@
 /qemu-ovmf-secureboot-*.tar.gz
 /edk2-*.tar.gz
 /softfloat-20180726-gitb64af41.tar.xz
+/qemu-ovmf-secureboot-20190521-gitf158f12.tar.xz
--- a/RedHatSecureBootPkKek1.pem
+++ b/RedHatSecureBootPkKek1.pem
@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDoDCCAoigAwIBAgIJAP71iOjzlsDxMA0GCSqGSIb3DQEBCwUAMFExKzApBgNV
+BAMTIlJlZCBIYXQgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkgMSkxIjAgBgkqhkiG
+9w0BCQEWE3NlY2FsZXJ0QHJlZGhhdC5jb20wHhcNMTQxMDMxMTExNTM3WhcNMzcx
+MDI1MTExNTM3WjBRMSswKQYDVQQDEyJSZWQgSGF0IFNlY3VyZSBCb290IChQSy9L
+RUsga2V5IDEpMSIwIAYJKoZIhvcNAQkBFhNzZWNhbGVydEByZWRoYXQuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkB+Ee42865cmgm2Iq4rJjGhw
+d9LB7I3gwsCyGdoMJ7j8PCZSrhZV8ZB9jiL/mZMSek3N5IumAEeWxRQ5qiNJQ31
+huarMMtAFuqNixaGcEM38s7Akd9xFI6ZDom2TG0kHozkL08l0LoG+MboGRh2cx2B
+bajYBc86yHsoyDajFg0pjJmaaNyrwE2Nv1q7K6k5SwSXHPk2u8U6hgSur9SCe+Cr
+3kkFaPz2rmgabJBNVxk8ZGYD9sdSm/eUz5NqoWjJqs+Za7yqXgjnORz3+A+6Bn7x
+y+h23f4i2q06Xls06rPJ4E0EKX64YLkF77XZF1hWFmC5MDLwNkrD8nmNEkBw8wID
+AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy
+YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUPOlg4/8ZoQp7o0L0jUIutNWccuww
+HwYDVR0jBBgwFoAUPOlg4/8ZoQp7o0L0jUIutNWccuwwDQYJKoZIhvcNAQELBQAD
+ggEBAFxNkoi0gl8drYsR7N8GpnqlK583VQyNbgUArbcMQYlpz9ZlBptReNKtx7+c
+3AVzf+ceORO06rYwfUB1q5xDC9+wwhu/MOD0/sDbYiGY9sWv3jtPSQrmHvmGsD8N
+1tRGN9tUdF7/EcJgxnBYxRxv7LLYbm/DvDOHOKTzRGScNDsolCZ4J58WF+g7aQol
+qXM2fp43XOzoP9uR+RKzPc7n3RXDrowFIGGbld6br/qxXBzll+fDNBGF9YonJqRw
+NuwM9oM9kPc28/nzFdSQYr5TtK/TSa/v9HPoe3bkRCo3uoGkmQw6MSRxoOTktxrL
+R+SqIs/vdWGA40O3SFdzET14m2k=
+-----END CERTIFICATE-----
--- a/edk2.spec
+++ b/edk2.spec
@ -13,13 +13,11 @@
 %global edk2_stable_date 201905
 %global edk2_stable_str  edk2-stable%{edk2_stable_date}
 %global openssl_version  1.1.1b
-%global qosb_version     1.1.3
+%global qosb_version     20190521-gitf158f12
 %global softfloat_version 20180726-gitb64af41

-
-# enrollment is hanging with stable 201905,
-# so temporarily disable it
-%global skip_enroll 1
+# Enable this to skip secureboot enrollment, if problems pop up
+%global skip_enroll 0


 %define qosb_testing 0
@ -58,7 +56,7 @@ Name:           edk2
 # to use YYYMMDD to avoid needing to bump package epoch
 # due to previous 'git' Version:
 Version:        %{edk2_stable_date}01stable
-Release:        1%{dist}
+Release:        2%{dist}
 Summary:        EFI Development Kit II

 License:        BSD-2-Clause-Patent
@ -69,8 +67,10 @@ URL:            http://www.tianocore.org/edk2/
 Source0:        https://github.com/tianocore/edk2/archive/%{edk2_stable_str}.tar.gz#/edk2-%{edk2_stable_str}.tar.gz
 Source1:        openssl-%{openssl_version}-hobbled.tar.xz
 Source2:        ovmf-whitepaper-c770f8c.txt
-Source3:        https://github.com/puiterwijk/qemu-ovmf-secureboot/archive/v%{qosb_version}/qemu-ovmf-secureboot-%{qosb_version}.tar.gz
+#Source3:        https://github.com/puiterwijk/qemu-ovmf-secureboot/archive/v{qosb_version}/qemu-ovmf-secureboot-{qosb_version}.tar.gz
+Source3:        qemu-ovmf-secureboot-%{qosb_version}.tar.xz
 Source4:        softfloat-%{softfloat_version}.tar.xz
+Source5:        RedHatSecureBootPkKek1.pem
 Source10:       hobble-openssl
 Source11:       build-iso.sh
 Source12:       update-tarball.sh
@ -133,6 +133,7 @@ BuildRequires:  nasm
 BuildRequires:  qemu-img
 BuildRequires:  genisoimage
 BuildRequires:  bc
+BuildRequires:  sed

 # These are for QOSB
 BuildRequires:  python3-requests
@ -260,6 +261,14 @@ mv qemu-ovmf-secureboot-%{qosb_version}/LICENSE LICENSE.qosb
 %autopatch -p1
 base64 --decode < MdeModulePkg/Logo/Logo-OpenSSL.bmp.b64 > MdeModulePkg/Logo/Logo-OpenSSL.bmp

+# Extract OEM string from the RH cert, as described here
+# https://bugzilla.tianocore.org/show_bug.cgi?id=1747#c2
+sed \
+  -e 's/^-----BEGIN CERTIFICATE-----$/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' \
+  -e '/^-----END CERTIFICATE-----$/d' \
+  %{_sourcedir}/RedHatSecureBootPkKek1.pem \
+| tr -d '\n' \
+> PkKek1.oemstr


 %build
@ -333,6 +342,7 @@ python3 qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator \
    --ovmf-binary ovmf/OVMF_CODE.secboot.fd \
    --ovmf-template-vars ovmf/OVMF_VARS.fd \
    --uefi-shell-iso ovmf/UefiShell.iso \
+    --oem-string "$(< PkKek1.oemstr)" \
    --skip-testing \
    ovmf/OVMF_VARS.secboot.fd
 %else
@ -591,6 +601,11 @@ install qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator %{buildroot}%{_


 %changelog
+* Mon Jul 15 2019 Cole Robinson <aintdiscole@gmail.com> - 20190501stable-2
+- License is now BSD-2-Clause-Patent
+- Re-enable secureboot enrollment
+- Use qemu-ovmf-secureboot from git
+
 * Thu Jul 11 2019 Cole Robinson <crobinso@redhat.com> - 20190501stable-1
 - Update to stable-201905
 - Update to openssl-1.1.1b
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-SHA512 (qemu-ovmf-secureboot-1.1.3.tar.gz) = f830a525f66379e8e3c61d006fab49547e6709f7aa0f95e70f23c7d26407cc804a0ced9dcfd26af63391d603e9cb5a0714c222c7cdca8599e41852e22e13be80
 SHA512 (edk2-edk2-stable201905.tar.gz) = 91188923f7d1ab83c0d6abf7ec6d59f357d0341a617ad6a3ae05f3d0e041dff43f62b014b0c5fc5d15e16d8f1c279c581a5cd64b31e3d52b340d7ef90adb50f1
 SHA512 (openssl-1.1.1b-hobbled.tar.xz) = 8055b19bfeec41fe0607c04d468d2f16a1e5fe02642c8deb67b00878be7e28ab266d13da41b9576800cba0b9448253f26f72ab8889d666f5d23103648f80bea1
 SHA512 (softfloat-20180726-gitb64af41.tar.xz) = f079debd1bfcc0fe64329a8947b0689ef49246793edcdd28a2879f6550c652b0cf0f53ac4f6f5ab61ac4f7933972e0019d0ab63eb9931b6884c2909f3a5ead30
+SHA512 (qemu-ovmf-secureboot-20190521-gitf158f12.tar.xz) = 4dde79864996398cc8cc39cdf859c1ca64ca0d360b0e5e41af9d9f054d36e1c4999e4324c5140a7329bec9b8d131e773ab8ebc28aba8d3f9f63c25517ee9221a