Compare commits
No commits in common. "c8" and "15.6-aligned" have entirely different histories.
c8
...
15.6-align
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/shim-15.8.tar.bz2
|
SOURCES/shim-15.tar.bz2
|
||||||
|
@ -1 +1 @@
|
|||||||
cdec924ca437a4509dcb178396996ddf92c11183 SOURCES/shim-15.8.tar.bz2
|
3df0ab5cefc74fdf865cb36aea0e923cb4b6b3ed SOURCES/shim-15.6.tar.bz2
|
||||||
|
33
SOURCES/0012-pe-align-section-size.patch
Normal file
33
SOURCES/0012-pe-align-section-size.patch
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
From c7b305152802c8db688605654f75e1195def9fd6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nicholas Bishop <nicholasbishop@google.com>
|
||||||
|
Date: Mon, 19 Dec 2022 18:56:13 -0500
|
||||||
|
Subject: [PATCH] pe: Align section size up to page size for mem attrs
|
||||||
|
|
||||||
|
Setting memory attributes is generally done at page granularity, and
|
||||||
|
this is enforced by checks in `get_mem_attrs` and
|
||||||
|
`update_mem_attrs`. But unlike the section address, the section size
|
||||||
|
isn't necessarily aligned to 4KiB. Round up the section size to fix
|
||||||
|
this.
|
||||||
|
|
||||||
|
Signed-off-by: Nicholas Bishop <nicholasbishop@google.com>
|
||||||
|
---
|
||||||
|
pe.c | 6 +++++-
|
||||||
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/pe.c b/pe.c
|
||||||
|
index 9a3679e16..5ad0914ba 100644
|
||||||
|
--- a/pe.c
|
||||||
|
+++ b/pe.c
|
||||||
|
@@ -1372,7 +1372,11 @@ handle_image (void *data, unsigned int datasize,
|
||||||
|
+ Section->Misc.VirtualSize - 1);
|
||||||
|
|
||||||
|
addr = (uintptr_t)base;
|
||||||
|
- length = (uintptr_t)end - (uintptr_t)base + 1;
|
||||||
|
+ // Align the length up to PAGE_SIZE. This is required because
|
||||||
|
+ // platforms generally set memory attributes at page
|
||||||
|
+ // granularity, but the section length (unlike the section
|
||||||
|
+ // address) is not required to be aligned.
|
||||||
|
+ length = ALIGN_VALUE((uintptr_t)end - (uintptr_t)base + 1, PAGE_SIZE);
|
||||||
|
|
||||||
|
if (Section->Characteristics & EFI_IMAGE_SCN_MEM_WRITE) {
|
||||||
|
set_attrs |= MEM_ATTR_W;
|
BIN
SOURCES/clsecureboot001.cer
Normal file
BIN
SOURCES/clsecureboot001.cer
Normal file
Binary file not shown.
@ -1 +0,0 @@
|
|||||||
shim.redhat,3,Red Hat Inc,shim,15.8,secalert@redhat.com
|
|
|
Binary file not shown.
@ -8,36 +8,35 @@
|
|||||||
%global __debug_install_post %{SOURCE100} aa64
|
%global __debug_install_post %{SOURCE100} aa64
|
||||||
%undefine _debuginfo_subpackages
|
%undefine _debuginfo_subpackages
|
||||||
|
|
||||||
%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
|
%global efidir almalinux
|
||||||
%global shimrootdir %{_datadir}/shim/
|
%global shimrootdir %{_datadir}/shim/
|
||||||
%global shimversiondir %{shimrootdir}/%{version}-%{release}
|
%global shimversiondir %{shimrootdir}/%{version}-%{release}
|
||||||
%global efiarch aa64
|
%global efiarch aa64
|
||||||
%global shimdir %{shimversiondir}/%{efiarch}
|
%global shimdir %{shimversiondir}/%{efiarch}
|
||||||
|
|
||||||
Name: shim-unsigned-aarch64
|
Name: shim-unsigned-aarch64
|
||||||
Version: 15.8
|
Version: 15.6
|
||||||
Release: 2.el8
|
Release: 1%{?dist}.alma
|
||||||
Summary: First-stage UEFI bootloader
|
Summary: First-stage UEFI bootloader
|
||||||
ExclusiveArch: aarch64
|
ExclusiveArch: aarch64
|
||||||
License: BSD
|
License: BSD
|
||||||
URL: https://github.com/rhboot/shim
|
URL: https://github.com/rhboot/shim
|
||||||
Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
|
Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
|
||||||
Source1: securebootca.cer
|
Source1: clsecureboot001.cer
|
||||||
# currently here's what's in our dbx:
|
# currently here's what's in our dbx:
|
||||||
# nothing.
|
# nothing.
|
||||||
Source2: dbx.esl
|
Source2: dbx.esl
|
||||||
Source3: sbat.redhat.csv
|
|
||||||
Source4: shim.patches
|
|
||||||
|
|
||||||
Source100: shim-find-debuginfo.sh
|
Source100: shim-find-debuginfo.sh
|
||||||
|
|
||||||
%include %{SOURCE4}
|
Patch0012: 0012-pe-align-section-size.patch
|
||||||
|
|
||||||
BuildRequires: gcc make
|
BuildRequires: gcc make
|
||||||
BuildRequires: elfutils-libelf-devel
|
BuildRequires: elfutils-libelf-devel
|
||||||
BuildRequires: git openssl-devel openssl
|
BuildRequires: git openssl-devel openssl
|
||||||
BuildRequires: pesign >= %{pesign_vre}
|
BuildRequires: pesign >= %{pesign_vre}
|
||||||
BuildRequires: dos2unix findutils
|
BuildRequires: gnu-efi >= %{gnuefi_vre}
|
||||||
|
BuildRequires: gnu-efi-devel >= %{gnuefi_vre}
|
||||||
|
|
||||||
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
|
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
|
||||||
# compatible with SysV (there's no red zone under UEFI) and there isn't a
|
# compatible with SysV (there's no red zone under UEFI) and there isn't a
|
||||||
@ -82,17 +81,16 @@ git config --unset user.name
|
|||||||
mkdir build-%{efiarch}
|
mkdir build-%{efiarch}
|
||||||
|
|
||||||
%build
|
%build
|
||||||
COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
|
COMMITID=$(cat commit)
|
||||||
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMIT_ID} "
|
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
|
||||||
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
|
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
|
||||||
MAKEFLAGS+="ENABLE_SHIM_HASH=true "
|
MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
|
||||||
MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
|
|
||||||
MAKEFLAGS+="%{_smp_mflags}"
|
MAKEFLAGS+="%{_smp_mflags}"
|
||||||
if [ -f "%{SOURCE1}" ]; then
|
if [ -f "%{SOURCE1}" ]; then
|
||||||
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
|
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
|
||||||
fi
|
fi
|
||||||
if [ -f "%{SOURCE2}" ]; then
|
if [ -f "%{SOURCE2}" ]; then
|
||||||
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
|
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cd build-%{efiarch}
|
cd build-%{efiarch}
|
||||||
@ -100,16 +98,15 @@ make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efiarch}.efi' all
|
|||||||
cd ..
|
cd ..
|
||||||
|
|
||||||
%install
|
%install
|
||||||
COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
|
COMMITID=$(cat commit)
|
||||||
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMIT_ID} "
|
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
|
||||||
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
|
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
|
||||||
MAKEFLAGS+="ENABLE_SHIM_HASH=true "
|
MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
|
||||||
MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
|
|
||||||
if [ -f "%{SOURCE1}" ]; then
|
if [ -f "%{SOURCE1}" ]; then
|
||||||
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
|
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
|
||||||
fi
|
fi
|
||||||
if [ -f "%{SOURCE2}" ]; then
|
if [ -f "%{SOURCE2}" ]; then
|
||||||
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
|
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cd build-%{efiarch}
|
cd build-%{efiarch}
|
||||||
@ -133,13 +130,8 @@ cd ..
|
|||||||
%files debugsource -f build-%{efiarch}/debugsource.list
|
%files debugsource -f build-%{efiarch}/debugsource.list
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Wed Feb 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el8
|
* Thu May 19 2022 Eduard Abdullin <eabdullin@almalinux.org> - 15-6.alma
|
||||||
- Rebuild to fix the commit ident and MAKEFLAGS
|
- Use AlmaLinux cert
|
||||||
Resolves: RHEL-11259
|
|
||||||
|
|
||||||
* Tue Dec 05 2023 Peter Jones <pjones@redhat.com> - 15.8-1.el8
|
|
||||||
- Update to shim-15.8 for CVE-2023-40547
|
|
||||||
Resolves: RHEL-11259
|
|
||||||
|
|
||||||
* Tue May 26 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-6
|
* Tue May 26 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-6
|
||||||
- Fix a shim crash when attempting to netboot
|
- Fix a shim crash when attempting to netboot
|
||||||
|
Loading…
Reference in New Issue
Block a user