From 4d2489eb393990e99527c94ff0627e2444e73920 Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Mon, 26 Jul 2021 04:19:20 -0400
Subject: [PATCH] * Mon Jul 26 2021 Miroslav Rezanina <mrezanin@redhat.com> -
 20200823-5.git4bd064de - ipxe-Disable-SHA-1.patch [bz#1935932] -
 ipxe-Replace-genisoimage-with-xorriso.patch [bz#1971981] -
 ipxe-spec-Drop-disabled-efi-ia32-build-infrastructure.patch [bz#1980138] -
 ipxe-spec-Generate-qemu-compatible-rom-filenames.patch [bz#1980138] -
 Resolves: bz#1935932   (ipxe implements and/or uses the deprecated SHA-1
 algorithm by default () - Resolves: bz#1971981   (Please replace genisoimage
 with xorriso) - Resolves: bz#1980138   (install qemu rom symlinks so qemu
 doesn't have to)

---
 ipxe-Disable-SHA-1.patch | 33 +++++++++++++++++
 ipxe.spec                | 79 ++++++++++++++++++++++++----------------
 2 files changed, 80 insertions(+), 32 deletions(-)
 create mode 100644 ipxe-Disable-SHA-1.patch

diff --git a/ipxe-Disable-SHA-1.patch b/ipxe-Disable-SHA-1.patch
new file mode 100644
index 0000000..e66cad1
--- /dev/null
+++ b/ipxe-Disable-SHA-1.patch
@@ -0,0 +1,33 @@
+From e50ff50417dca26223b771d2a93cf57d4f627104 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 22 Jul 2021 15:49:51 +0200
+Subject: [PATCH 1/4] Disable SHA-1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+RH-MergeRequest: 5: Disable SHA-1
+RH-Commit: [1/1] 23f1cca1f3ac86958088c41e0f8122dde74c72cf (kraxel/ipxe)
+RH-Bugzilla: 1935932
+RH-Acked-by: Daniel P. Berrangé <berrange@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ src/config/local/crypto.h | 2 ++
+ 1 file changed, 2 insertions(+)
+ create mode 100644 src/config/local/crypto.h
+
+diff --git a/src/config/local/crypto.h b/src/config/local/crypto.h
+new file mode 100644
+index 00000000..ff4a5b7f
+--- /dev/null
++++ b/src/config/local/crypto.h
+@@ -0,0 +1,2 @@
++/** disable SHA-1 digest algorithm */
++#undef CRYPTO_DIGEST_SHA1
+-- 
+2.27.0
+
diff --git a/ipxe.spec b/ipxe.spec
index de32d95..a30bf94 100644
--- a/ipxe.spec
+++ b/ipxe.spec
@@ -1,28 +1,21 @@
 %if 0%{?fedora}
 %global cross 1
-%global efi_ia32 1
 %endif
 
-# With the addition of HTTPS support, we need to drop
-# efi_ia32 so qemu roms still stay in the expected size
-# range. If no one complains we can drop the efi_ia32
-# infrastructure in 2021 IMO
-%global efi_ia32 0
+# ROMS we want for QEMU with format PCIID:QEMUNAME
+%global qemuroms \\\
+  8086100e:e1000 \\\
+  10ec8139:rtl8139 \\\
+  1af41000:virtio \\\
+  808610d3:e1000e
 
-# PCI IDs (vendor,product) of the ROMS we want for QEMU
-#
-#    pcnet32: 0x1022 0x2000
-#   ne2k_pci: 0x10ec 0x8029
-#      e1000: 0x8086 0x100e
-#    rtl8139: 0x10ec 0x8139
-# virtio-net: 0x1af4 0x1000
-#   eepro100: 0x8086 0x1209
-#     e1000e: 0x8086 0x10d3
-#    vmxnet3: 0x15ad 0x07b0
-%if 0%{?rhel}
-%global qemuroms 8086100e 10ec8139 1af41000 808610d3
-%else
-%global qemuroms 10222000 10ec8029 8086100e 10ec8139 1af41000 80861209 808610d3 15ad07b0
+%if 0%{?fedora}
+# Fedora specific roms
+%global qemuroms %{qemuroms} \\\
+  10222000:pcnet \\\
+  10ec8029:ne2k_pci \\\
+  80861209:eepro100 \\\
+  15ad07b0:vmxnet3
 %endif
 
 # We only build the ROMs if on an x86 build host. The resulting
@@ -57,7 +50,7 @@
 
 Name:    ipxe
 Version: %{date}
-Release: 4.git%{hash}%{?dist}
+Release: 5.git%{hash}%{?dist}
 Summary: A network boot loader
 
 License: GPLv2 with additional permissions and BSD
@@ -69,6 +62,8 @@ Source0: %{name}-%{version}-git%{hash}.tar.xz
 # Sent upstream: http://lists.ipxe.org/pipermail/ipxe-devel/2015-November/004494.html
 Patch0001: 0001-build-customize-configuration.patch
 Patch0002: 0002-Use-spec-compliant-timeouts.patch
+# For bz#1935932 - ipxe implements and/or uses the deprecated SHA-1 algorithm by default (
+Patch3: ipxe-Disable-SHA-1.patch
 
 # Source-git patches
 
@@ -81,7 +76,7 @@ BuildRequires: perl-lib
 %endif
 BuildRequires: syslinux
 BuildRequires: mtools
-BuildRequires: genisoimage
+BuildRequires: xorriso
 BuildRequires: edk2-tools
 BuildRequires: xz-devel
 BuildRequires: gcc
@@ -172,18 +167,14 @@ make_ipxe ISOLINUX_BIN=/usr/share/syslinux/isolinux.bin \
 
 # build roms with efi support for qemu
 mkdir bin-combined
-for rom in %{qemuroms}; do
+for romstr in %{qemuroms}; do
+  rom=$(echo "$romstr" | cut -d ":" -f 1)
+
   make_ipxe CONFIG=qemu bin/${rom}.rom
-%if 0%{?efi_ia32}
-  make_ipxe CONFIG=qemu bin-i386-efi/${rom}.efidrv
-%endif
   make_ipxe CONFIG=qemu bin-x86_64-efi/${rom}.efidrv
   vid="0x${rom%%????}"
   did="0x${rom#????}"
   EfiRom -f "$vid" -i "$did" --pci23 \
-%if 0%{?efi_ia32}
-         -ec bin-i386-efi/${rom}.efidrv \
-%endif
          -ec bin-x86_64-efi/${rom}.efidrv \
          -o  bin-combined/${rom}.eficrom
   util/catrom.pl \
@@ -218,17 +209,28 @@ popd
 cp -a src/bin-i386-efi/ipxe.efi %{buildroot}/%{_datadir}/%{name}/ipxe-i386.efi
 cp -a src/bin-x86_64-efi/ipxe.efi %{buildroot}/%{_datadir}/%{name}/ipxe-x86_64.efi
 
-# the roms supported by qemu will be packaged separatedly
-# remove from the main rom list and add them to qemu.list
-for rom in %{qemuroms}; do
+mkdir -p %{buildroot}%{_datadir}/%{name}/qemu/
+
+for romstr in %{qemuroms}; do
+  # the roms supported by qemu will be packaged separatedly
+  # remove from the main rom list and add them to qemu.list
+  rom=$(echo "$romstr" | cut -d ":" -f 1)
+  qemuname=$(echo "$romstr" | cut -d ":" -f 2)
   sed -i -e "/\/${rom}.rom/d" rom.list
   echo %{_datadir}/%{name}/${rom}.rom >> qemu.rom.list
 
   cp src/bin-combined/${rom}.rom %{buildroot}/%{_datadir}/%{name}.efi/
   echo %{_datadir}/%{name}.efi/${rom}.rom >> qemu.rom.list
+
+  # Set up symlinks with expected qemu firmware names
+  ln -s ../../ipxe/${rom}.rom %{buildroot}%{_datadir}/%{name}/qemu/pxe-${qemuname}.rom
+  ln -s ../../ipxe.efi/${rom}.rom %{buildroot}%{_datadir}/%{name}/qemu/efi-${qemuname}.rom
 done
+
+# endif buildarches
 %endif
 
+
 %ifarch %{buildarches}
 %files bootimgs
 %dir %{_datadir}/%{name}
@@ -248,10 +250,23 @@ done
 %files roms-qemu -f qemu.rom.list
 %dir %{_datadir}/%{name}
 %dir %{_datadir}/%{name}.efi
+%{_datadir}/%{name}/qemu
 %doc COPYING COPYING.GPLv2 COPYING.UBDL
 %endif
 
 %changelog
+* Mon Jul 26 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20200823-5.git4bd064de
+- ipxe-Disable-SHA-1.patch [bz#1935932]
+- ipxe-Replace-genisoimage-with-xorriso.patch [bz#1971981]
+- ipxe-spec-Drop-disabled-efi-ia32-build-infrastructure.patch [bz#1980138]
+- ipxe-spec-Generate-qemu-compatible-rom-filenames.patch [bz#1980138]
+- Resolves: bz#1935932
+  (ipxe implements and/or uses the deprecated SHA-1 algorithm by default ()
+- Resolves: bz#1971981
+  (Please replace genisoimage with xorriso)
+- Resolves: bz#1980138
+  (install qemu rom symlinks so qemu doesn't have to)
+
 * Tue Jun 08 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20200823-4.git4bd064de
 - ipxe-Skip-some-QEMU-ROMs-when-building-for-RHEL.patch [bz#1956931]
 - ipxe-spec-combine-BIOS-and-EFI-roms-using-util-catrom.pl.patch [bz#1957246]