Re-enable secureboot enrollment

Follow Laszlo's suggestions from:
https://bugzilla.redhat.com/show_bug.cgi?id=1701710#c12
This commit is contained in:
Cole Robinson 2019-07-15 11:41:49 -04:00
parent eb71155bd5
commit b9bff0b089
4 changed files with 46 additions and 8 deletions

1
.gitignore vendored
View File

@ -3,3 +3,4 @@
/qemu-ovmf-secureboot-*.tar.gz /qemu-ovmf-secureboot-*.tar.gz
/edk2-*.tar.gz /edk2-*.tar.gz
/softfloat-20180726-gitb64af41.tar.xz /softfloat-20180726-gitb64af41.tar.xz
/qemu-ovmf-secureboot-20190521-gitf158f12.tar.xz

View File

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDoDCCAoigAwIBAgIJAP71iOjzlsDxMA0GCSqGSIb3DQEBCwUAMFExKzApBgNV
BAMTIlJlZCBIYXQgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkgMSkxIjAgBgkqhkiG
9w0BCQEWE3NlY2FsZXJ0QHJlZGhhdC5jb20wHhcNMTQxMDMxMTExNTM3WhcNMzcx
MDI1MTExNTM3WjBRMSswKQYDVQQDEyJSZWQgSGF0IFNlY3VyZSBCb290IChQSy9L
RUsga2V5IDEpMSIwIAYJKoZIhvcNAQkBFhNzZWNhbGVydEByZWRoYXQuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkB+Ee42865cmgm2Iq4rJjGhw
+d9LB7I3gwsCyGdoMJ7j8PCZSrhZV8ZB9jiL/mZMSek3N5IumAEeWxRQ5qiNJQ31
huarMMtAFuqNixaGcEM38s7Akd9xFI6ZDom2TG0kHozkL08l0LoG+MboGRh2cx2B
bajYBc86yHsoyDajFg0pjJmaaNyrwE2Nv1q7K6k5SwSXHPk2u8U6hgSur9SCe+Cr
3kkFaPz2rmgabJBNVxk8ZGYD9sdSm/eUz5NqoWjJqs+Za7yqXgjnORz3+A+6Bn7x
y+h23f4i2q06Xls06rPJ4E0EKX64YLkF77XZF1hWFmC5MDLwNkrD8nmNEkBw8wID
AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy
YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUPOlg4/8ZoQp7o0L0jUIutNWccuww
HwYDVR0jBBgwFoAUPOlg4/8ZoQp7o0L0jUIutNWccuwwDQYJKoZIhvcNAQELBQAD
ggEBAFxNkoi0gl8drYsR7N8GpnqlK583VQyNbgUArbcMQYlpz9ZlBptReNKtx7+c
3AVzf+ceORO06rYwfUB1q5xDC9+wwhu/MOD0/sDbYiGY9sWv3jtPSQrmHvmGsD8N
1tRGN9tUdF7/EcJgxnBYxRxv7LLYbm/DvDOHOKTzRGScNDsolCZ4J58WF+g7aQol
qXM2fp43XOzoP9uR+RKzPc7n3RXDrowFIGGbld6br/qxXBzll+fDNBGF9YonJqRw
NuwM9oM9kPc28/nzFdSQYr5TtK/TSa/v9HPoe3bkRCo3uoGkmQw6MSRxoOTktxrL
R+SqIs/vdWGA40O3SFdzET14m2k=
-----END CERTIFICATE-----

View File

@ -13,13 +13,11 @@
%global edk2_stable_date 201905 %global edk2_stable_date 201905
%global edk2_stable_str edk2-stable%{edk2_stable_date} %global edk2_stable_str edk2-stable%{edk2_stable_date}
%global openssl_version 1.1.1b %global openssl_version 1.1.1b
%global qosb_version 1.1.3 %global qosb_version 20190521-gitf158f12
%global softfloat_version 20180726-gitb64af41 %global softfloat_version 20180726-gitb64af41
# Enable this to skip secureboot enrollment, if problems pop up
# enrollment is hanging with stable 201905, %global skip_enroll 0
# so temporarily disable it
%global skip_enroll 1
%define qosb_testing 0 %define qosb_testing 0
@ -58,7 +56,7 @@ Name: edk2
# to use YYYMMDD to avoid needing to bump package epoch # to use YYYMMDD to avoid needing to bump package epoch
# due to previous 'git' Version: # due to previous 'git' Version:
Version: %{edk2_stable_date}01stable Version: %{edk2_stable_date}01stable
Release: 1%{dist} Release: 2%{dist}
Summary: EFI Development Kit II Summary: EFI Development Kit II
License: BSD-2-Clause-Patent License: BSD-2-Clause-Patent
@ -69,8 +67,10 @@ URL: http://www.tianocore.org/edk2/
Source0: https://github.com/tianocore/edk2/archive/%{edk2_stable_str}.tar.gz#/edk2-%{edk2_stable_str}.tar.gz Source0: https://github.com/tianocore/edk2/archive/%{edk2_stable_str}.tar.gz#/edk2-%{edk2_stable_str}.tar.gz
Source1: openssl-%{openssl_version}-hobbled.tar.xz Source1: openssl-%{openssl_version}-hobbled.tar.xz
Source2: ovmf-whitepaper-c770f8c.txt Source2: ovmf-whitepaper-c770f8c.txt
Source3: https://github.com/puiterwijk/qemu-ovmf-secureboot/archive/v%{qosb_version}/qemu-ovmf-secureboot-%{qosb_version}.tar.gz #Source3: https://github.com/puiterwijk/qemu-ovmf-secureboot/archive/v{qosb_version}/qemu-ovmf-secureboot-{qosb_version}.tar.gz
Source3: qemu-ovmf-secureboot-%{qosb_version}.tar.xz
Source4: softfloat-%{softfloat_version}.tar.xz Source4: softfloat-%{softfloat_version}.tar.xz
Source5: RedHatSecureBootPkKek1.pem
Source10: hobble-openssl Source10: hobble-openssl
Source11: build-iso.sh Source11: build-iso.sh
Source12: update-tarball.sh Source12: update-tarball.sh
@ -133,6 +133,7 @@ BuildRequires: nasm
BuildRequires: qemu-img BuildRequires: qemu-img
BuildRequires: genisoimage BuildRequires: genisoimage
BuildRequires: bc BuildRequires: bc
BuildRequires: sed
# These are for QOSB # These are for QOSB
BuildRequires: python3-requests BuildRequires: python3-requests
@ -260,6 +261,14 @@ mv qemu-ovmf-secureboot-%{qosb_version}/LICENSE LICENSE.qosb
%autopatch -p1 %autopatch -p1
base64 --decode < MdeModulePkg/Logo/Logo-OpenSSL.bmp.b64 > MdeModulePkg/Logo/Logo-OpenSSL.bmp base64 --decode < MdeModulePkg/Logo/Logo-OpenSSL.bmp.b64 > MdeModulePkg/Logo/Logo-OpenSSL.bmp
# Extract OEM string from the RH cert, as described here
# https://bugzilla.tianocore.org/show_bug.cgi?id=1747#c2
sed \
-e 's/^-----BEGIN CERTIFICATE-----$/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' \
-e '/^-----END CERTIFICATE-----$/d' \
%{_sourcedir}/RedHatSecureBootPkKek1.pem \
| tr -d '\n' \
> PkKek1.oemstr
%build %build
@ -333,6 +342,7 @@ python3 qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator \
--ovmf-binary ovmf/OVMF_CODE.secboot.fd \ --ovmf-binary ovmf/OVMF_CODE.secboot.fd \
--ovmf-template-vars ovmf/OVMF_VARS.fd \ --ovmf-template-vars ovmf/OVMF_VARS.fd \
--uefi-shell-iso ovmf/UefiShell.iso \ --uefi-shell-iso ovmf/UefiShell.iso \
--oem-string "$(< PkKek1.oemstr)" \
--skip-testing \ --skip-testing \
ovmf/OVMF_VARS.secboot.fd ovmf/OVMF_VARS.secboot.fd
%else %else
@ -591,6 +601,11 @@ install qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator %{buildroot}%{_
%changelog %changelog
* Mon Jul 15 2019 Cole Robinson <aintdiscole@gmail.com> - 20190501stable-2
- License is now BSD-2-Clause-Patent
- Re-enable secureboot enrollment
- Use qemu-ovmf-secureboot from git
* Thu Jul 11 2019 Cole Robinson <crobinso@redhat.com> - 20190501stable-1 * Thu Jul 11 2019 Cole Robinson <crobinso@redhat.com> - 20190501stable-1
- Update to stable-201905 - Update to stable-201905
- Update to openssl-1.1.1b - Update to openssl-1.1.1b

View File

@ -1,4 +1,4 @@
SHA512 (qemu-ovmf-secureboot-1.1.3.tar.gz) = f830a525f66379e8e3c61d006fab49547e6709f7aa0f95e70f23c7d26407cc804a0ced9dcfd26af63391d603e9cb5a0714c222c7cdca8599e41852e22e13be80
SHA512 (edk2-edk2-stable201905.tar.gz) = 91188923f7d1ab83c0d6abf7ec6d59f357d0341a617ad6a3ae05f3d0e041dff43f62b014b0c5fc5d15e16d8f1c279c581a5cd64b31e3d52b340d7ef90adb50f1 SHA512 (edk2-edk2-stable201905.tar.gz) = 91188923f7d1ab83c0d6abf7ec6d59f357d0341a617ad6a3ae05f3d0e041dff43f62b014b0c5fc5d15e16d8f1c279c581a5cd64b31e3d52b340d7ef90adb50f1
SHA512 (openssl-1.1.1b-hobbled.tar.xz) = 8055b19bfeec41fe0607c04d468d2f16a1e5fe02642c8deb67b00878be7e28ab266d13da41b9576800cba0b9448253f26f72ab8889d666f5d23103648f80bea1 SHA512 (openssl-1.1.1b-hobbled.tar.xz) = 8055b19bfeec41fe0607c04d468d2f16a1e5fe02642c8deb67b00878be7e28ab266d13da41b9576800cba0b9448253f26f72ab8889d666f5d23103648f80bea1
SHA512 (softfloat-20180726-gitb64af41.tar.xz) = f079debd1bfcc0fe64329a8947b0689ef49246793edcdd28a2879f6550c652b0cf0f53ac4f6f5ab61ac4f7933972e0019d0ab63eb9931b6884c2909f3a5ead30 SHA512 (softfloat-20180726-gitb64af41.tar.xz) = f079debd1bfcc0fe64329a8947b0689ef49246793edcdd28a2879f6550c652b0cf0f53ac4f6f5ab61ac4f7933972e0019d0ab63eb9931b6884c2909f3a5ead30
SHA512 (qemu-ovmf-secureboot-20190521-gitf158f12.tar.xz) = 4dde79864996398cc8cc39cdf859c1ca64ca0d360b0e5e41af9d9f054d36e1c4999e4324c5140a7329bec9b8d131e773ab8ebc28aba8d3f9f63c25517ee9221a