commit b3d19a0168e4fac6bde3f12ff7eb8df9b0b0366c Author: Andrew Lukoshko Date: Wed Oct 29 12:35:13 2025 +0000 import CS shim-unsigned-aarch64-16.1-2.el10 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..be691c5 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +redhatsecurebootca8.cer +shim-16.1.tar.bz2 diff --git a/sbat.redhat.csv b/sbat.redhat.csv new file mode 100644 index 0000000..be9e036 --- /dev/null +++ b/sbat.redhat.csv @@ -0,0 +1 @@ +shim.redhat,3,Red Hat Inc,shim,15.8,secalert@redhat.com diff --git a/shim-find-debuginfo.sh b/shim-find-debuginfo.sh new file mode 100755 index 0000000..7e882ff --- /dev/null +++ b/shim-find-debuginfo.sh @@ -0,0 +1,90 @@ +#!/bin/bash +# +# shim-find-debuginfo.sh +# Copyright (C) 2017 Peter Jones +# +# Distributed under terms of the GPLv3 license. +# +set -e +set -u + +mainarch=$1 && shift +if [ $# == 1 ]; then + altarch=$1 && shift +fi +if ! [ -v RPM_BUILD_ROOT ]; then + echo "RPM_BUILD_ROOT must be set" 1>&2 + exit 1 +fi + +findsource() +{ + ( + cd ${RPM_BUILD_ROOT} + find usr/src/debug/ -type d | sed "s,^,%dir /," + find usr/src/debug/ -type f | sed "s,^,/," + ) +} + +finddebug() +{ + arch=$1 && shift + declare -a dirs=() + declare -a files=() + declare -a excludes=() + + pushd ${RPM_BUILD_ROOT} >/dev/null 2>&1 + for x in $(find usr/lib/debug/ -type f -iname *.efi.debug); do + if ! [ -e "${x}" ]; then + break + fi + if [[ ${x} =~ ${arch}\.efi\.debug$ ]]; then + files[${#files[@]}]=${x} + else + excludes[${#excludes[@]}]=${x} + fi + done + for x in usr/lib/debug/.build-id/*/*.debug ; do + if ! [ -e "${x}" ]; then + break + fi + link=$(readlink "${x}") + if [[ ${link} =~ ${arch}\.efi\.debug$ ]]; then + files[${#files[@]}]=${x} + files[${#files[@]}]=${x%%.debug} + else + excludes[${#excludes[@]}]=${x} + excludes[${#excludes[@]}]=${x%%.debug} + fi + done + for x in ${files[@]} ; do + declare name=$(dirname /${x}) + while [ "${name}" != "/" ]; do + case "${name}" in + "/usr/lib/debug"|"/usr/lib"|"/usr") + ;; + *) + dirs[${#dirs[@]}]=${name} + ;; + esac + name=$(dirname ${name}) + done + done + + popd >/dev/null 2>&1 + for x in ${dirs[@]} ; do + echo "%dir ${x}" + done | sort | uniq + for x in ${files[@]} ; do + echo "/${x}" + done | sort | uniq + for x in ${excludes[@]} ; do + echo "%exclude /${x}" + done +} + +findsource > build-${mainarch}/debugsource.list +finddebug ${mainarch} > build-${mainarch}/debugfiles.list +if [ -v altarch ]; then + finddebug ${altarch} > build-${altarch}/debugfiles.list +fi diff --git a/shim-unsigned-aarch64.spec b/shim-unsigned-aarch64.spec new file mode 100644 index 0000000..2580169 --- /dev/null +++ b/shim-unsigned-aarch64.spec @@ -0,0 +1,214 @@ +%global pesign_vre 0.106-1 +%global openssl_vre 1.0.2j + +%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/')) +%global shimrootdir %{_datadir}/shim/ +%global shimversiondir %{shimrootdir}/%{version}-%{release} +%global efiarch aa64 +%global shimdir %{shimversiondir}/%{efiarch} + +%global debug_package %{nil} +%global __debug_package 1 +%global _binaries_in_noarch_packages_terminate_build 0 +%global __debug_install_post %{SOURCE100} aa64 +%undefine _debuginfo_subpackages + +# currently here's what's in our dbx: nothing +%global dbxfile %{nil} + +Name: shim-unsigned-aarch64 +Version: 16.1 +Release: 2.el10 +Summary: First-stage UEFI bootloader +ExclusiveArch: aarch64 +License: BSD +URL: https://github.com/rhboot/shim +Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 +Source1: redhatsecurebootca8.cer +%if 0%{?dbxfile} +Source2: %{dbxfile} +%endif +Source3: sbat.redhat.csv +Source4: shim.patches + +Source100: shim-find-debuginfo.sh + +%include %{SOURCE4} + +BuildRequires: gcc make +BuildRequires: elfutils-libelf-devel +BuildRequires: git openssl-devel openssl +BuildRequires: pesign >= %{pesign_vre} +BuildRequires: dos2unix findutils + +# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not +# compatible with SysV (there's no red zone under UEFI) and there isn't a +# POSIX-style C library. +# BuildRequires: OpenSSL +Provides: bundled(openssl) = %{openssl_vre} + +%global desc \ +Initial UEFI bootloader that handles chaining to a trusted full \ +bootloader under secure boot environments. +%global debug_desc \ +This package provides debug information for package %{expand:%%{name}} \ +Debug information is useful when developing applications that \ +use this package or when debugging this package. + +%description +%desc + +%package debuginfo +Summary: Debug information for shim-unsigned-aarch64 +Requires: %{name}-debugsource = %{version}-%{release} +Group: Development/Debug +AutoReqProv: 0 +BuildArch: noarch + +%description debuginfo +%debug_desc + +%package debugsource +Summary: Debug Source for shim-unsigned +Group: Development/Debug +AutoReqProv: 0 +BuildArch: noarch + +%description debugsource +%debug_desc + +%prep +%autosetup -S git -n shim-%{version} +git config --unset user.email +git config --unset user.name +mkdir build-%{efiarch} +cp %{SOURCE3} data/ + +%build +COMMIT_ID=18d98bfb34be583a5fe2987542e4b15e0db9cb61 +MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMIT_ID} " +MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " +MAKEFLAGS+="ENABLE_SHIM_HASH=true " +MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2024040900 " +MAKEFLAGS+="%{_smp_mflags}" +if [ -f "%{SOURCE1}" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} " +fi +if [ -f "%{SOURCE2}" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} " +fi + +cd build-%{efiarch} +make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efiarch}.efi' all +cd .. + +%install +COMMIT_ID=18d98bfb34be583a5fe2987542e4b15e0db9cb61 +MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMIT_ID} " +MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " +MAKEFLAGS+="ENABLE_SHIM_HASH=true " +MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2024040900 " +if [ -f "%{SOURCE1}" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} " +fi +if [ -f "%{SOURCE2}" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} " +fi + +cd build-%{efiarch} +make ${MAKEFLAGS} \ + DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \ + DESTDIR=${RPM_BUILD_ROOT} \ + install-as-data install-debuginfo install-debugsource +cd .. + +%files +%license COPYRIGHT +%dir %{shimrootdir} +%dir %{shimversiondir} +%dir %{shimdir} +%{shimdir}/*.efi +%{shimdir}/*.hash +%{shimdir}/*.CSV + +%files debuginfo -f build-%{efiarch}/debugfiles.list + +%files debugsource -f build-%{efiarch}/debugsource.list + +%changelog +* Tue Aug 26 2025 Peter Jones - 16.1-2.el10 +- Fix the sbat data + Related: RHEL-81188 + +* Mon Aug 25 2025 Peter Jones - 16.1-1.el10 +- Update for shim 16 and rectify differences with shim-unsigned-x64 +- Related: #RHEL-81188 + +* Thu Mar 20 2025 Peter Jones - 16.0-1.el10 +- Update for shim 16 and rectify differences with shim-unsigned-x64 +- Related: #RHEL-81188 + +* Thu Mar 13 2025 Nicolas Frayer - 15.8-3.el10 +- Update gating.yaml for rhel-10 +- Resolves: #RHEL-81188 + +* Thu Mar 6 2025 Nicolas Frayer - 15.8-2.el10 +- Update to shim-15.8 + +* Tue May 26 2020 Javier Martinez Canillas - 15-6 +- Fix a shim crash when attempting to netboot + Resolves: rhbz#1840036 + +* Mon May 04 2020 Javier Martinez Canillas - 15-5 +- Fix firmware update bug in aarch64 caused by shim ignoring arguments + Resolves: rhbz#1817882 + +* Fri Jun 07 2019 Javier Martinez Canillas - 15-4 +- Add a gating.yaml file so the package can be properly gated + Related: rhbz#1682749 + +* Wed Jun 05 2019 Javier Martinez Canillas - 15-3 +- Make EFI variable copying fatal only on secureboot enabled systems + Resolves: rhbz#1704854 +- Fix booting shim from an EFI shell using a relative path + Resolves: rhbz#1717063 + +* Tue Feb 12 2019 Peter Jones - 15-2 +- Fix MoK mirroring issue which breaks kdump without intervention + Related: rhbz#1668966 + +* Thu Apr 05 2018 Peter Jones - 15-1 +- Update to shim 15 +- better checking for bad linker output +- flicker-free console if there's no error output +- improved http boot support +- better protocol re-installation +- dhcp proxy support +- tpm measurement even when verification is disabled +- REQUIRE_TPM build flag +- more reproducable builds +- measurement of everything verified through shim_verify() +- coverity and scan-build checker make targets +- misc cleanups + +* Tue Sep 19 2017 Peter Jones - 13-3 +- Actually update to the *real* 13 final. + Related: rhbz#1489604 + +* Thu Aug 31 2017 Peter Jones - 13-2 +- Actually update to 13 final. + +* Mon Aug 21 2017 Peter Jones - 13-0.1 +- Update to shim-13 test release. + +* Thu Aug 03 2017 Fedora Release Engineering - 0.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 0.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 0.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu May 12 2016 Peter Jones - - 0.9-1 +- Initial split up of -aarch64 diff --git a/shim.patches b/shim.patches new file mode 100644 index 0000000..e69de29 diff --git a/sources b/sources new file mode 100644 index 0000000..54bd528 --- /dev/null +++ b/sources @@ -0,0 +1,2 @@ +SHA512 (redhatsecurebootca8.cer) = 7c8dffaa437d441d53a27eafd7340986c14e22be5cc11e712859f2af5dcc892e756e19d0260108191973a7ce8ae180844cb80ce676d11143227c7d1a20381e35 +SHA512 (shim-16.1.tar.bz2) = ca5f80e82f3b80b622028f03ef23105c98ee1b6a25f52a59c823080a3202dd4b9962266489296e99f955eb92e36ce13e0b1d57f688350006bba45f2718f159fb