%global pesign_vre 0.106-1 %global gnuefi_vre 1:3.0.5-6 %global openssl_vre 1.0.2j %global debug_package %{nil} %global __debug_package 1 %global _binaries_in_noarch_packages_terminate_build 0 %global __debug_install_post %{SOURCE100} aa64 %undefine _debuginfo_subpackages %global efidir almalinux %global shimrootdir %{_datadir}/shim/ %global shimversiondir %{shimrootdir}/%{version}-%{release} %global efiarch aa64 %global shimdir %{shimversiondir}/%{efiarch} Name: shim-unsigned-aarch64 Version: 15.8 Release: 2.el9.alma.1 Summary: First-stage UEFI bootloader ExclusiveArch: aarch64 License: BSD URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 # currently here's what's in our dbx: # nothing. Source2: dbx.esl Source3: sbat.almalinux.csv Source4: shim.patches Source100: shim-find-debuginfo.sh Source101: almalinux-sb-cert-1.der Source102: almalinux-sb-cert-2.der Source103: almalinux-sb-cert-3.der %include %{SOURCE4} BuildRequires: gcc make BuildRequires: elfutils-libelf-devel BuildRequires: git openssl-devel openssl BuildRequires: pesign >= %{pesign_vre} BuildRequires: dos2unix findutils BuildRequires: efitools BuildRequires: gcc-toolset-12-binutils BuildRequires: gcc-toolset-12-gcc # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not # compatible with SysV (there's no red zone under UEFI) and there isn't a # POSIX-style C library. # BuildRequires: OpenSSL Provides: bundled(openssl) = %{openssl_vre} %global desc \ Initial UEFI bootloader that handles chaining to a trusted full \ bootloader under secure boot environments. %global debug_desc \ This package provides debug information for package %{expand:%%{name}} \ Debug information is useful when developing applications that \ use this package or when debugging this package. %description %desc %package debuginfo Summary: Debug information for shim-unsigned-aarch64 Requires: %{name}-debugsource = %{version}-%{release} Group: Development/Debug AutoReqProv: 0 BuildArch: noarch %description debuginfo %debug_desc %package debugsource Summary: Debug Source for shim-unsigned Group: Development/Debug AutoReqProv: 0 BuildArch: noarch %description debugsource %debug_desc %prep %autosetup -S git_am -n shim-%{version} %if 0%{?rhel} == 8 || 0%{?rhel} == 9 source scl_source enable gcc-toolset-12 || : %endif git config --unset user.email git config --unset user.name mkdir build-%{efiarch} cp %{SOURCE3} data/ %build # Prepare vendor_db.esl file openssl x509 -inform DER -in %{SOURCE101} -out 01.pem openssl x509 -inform DER -in %{SOURCE102} -out 02.pem openssl x509 -inform DER -in %{SOURCE103} -out 03.pem cert-to-efi-sig-list -g 9DD8A2AC-0977-4AEF-99A0-E794FD2A31FE 01.pem 01.esl cert-to-efi-sig-list -g 33D81FE3-5EC0-44F8-AB02-C9DA554F63D8 02.pem 02.esl cert-to-efi-sig-list -g 50413300-1AC7-49DA-B755-BB0D93E634B6 03.pem 03.esl cat 01.esl 02.esl 03.esl > vendor_db.esl %if 0%{?rhel} == 8 || 0%{?rhel} == 9 source scl_source enable gcc-toolset-12 || : %endif COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_SHIM_HASH=true " MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " MAKEFLAGS+="%{_smp_mflags}" if [ -s vendor_db.esl ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl" fi if [ -s "%{SOURCE2}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" fi cd build-%{efiarch} make ${MAKEFLAGS} \ DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \ all cd .. %install %if 0%{?rhel} == 8 || 0%{?rhel} == 9 source scl_source enable gcc-toolset-12 || : %endif COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " if [ -s vendor_db.esl ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl" fi if [ -s "%{SOURCE2}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" fi cd build-%{efiarch} make ${MAKEFLAGS} \ DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \ DESTDIR=${RPM_BUILD_ROOT} \ install-as-data install-debuginfo install-debugsource cd .. %files %license COPYRIGHT %dir %{shimrootdir} %dir %{shimversiondir} %dir %{shimdir} %{shimdir}/*.CSV %{shimdir}/*.efi %{shimdir}/*.hash %files debuginfo -f build-%{efiarch}/debugfiles.list %files debugsource -f build-%{efiarch}/debugsource.list %changelog * Fri May 10 2024 Eduard Abdullin - 15.8-2.el9.alma.1 - Use AlmaLinux cert - Use gcc-toolset-12 * Wed Feb 07 2024 Peter Jones - 15.8-2.el9 - Rebuild to fix the commit ident and MAKEFLAGS Resolves: RHEL-11259 * Tue Dec 05 2023 Peter Jones - 15.8-1.el9 - Update to shim-15.8 for CVE-2023-40547 Resolves: RHEL-11259 * Wed Jun 01 2022 Peter Jones - 15.6-1.el9 - Update to shim-15.6 Resolves: CVE-2022-28737 * Thu Sep 17 2020 Peter Jones - 15-9.el9 - Fix an incorrect allocation size. Related: rhbz#1877253 * Thu Jul 30 2020 Peter Jones - 15-8 - Fix a load-address-dependent forever loop. Resolves: rhbz#1861977 Related: CVE-2020-10713 Related: CVE-2020-14308 Related: CVE-2020-14309 Related: CVE-2020-14310 Related: CVE-2020-14311 Related: CVE-2020-15705 Related: CVE-2020-15706 Related: CVE-2020-15707 * Sat Jul 25 2020 Peter Jones - 15-7 - Implement Lenny's workaround Related: CVE-2020-10713 Related: CVE-2020-14308 Related: CVE-2020-14309 Related: CVE-2020-14310 Related: CVE-2020-14311 * Fri Jul 24 2020 Peter Jones - 15-5 - Once more with the MokListRT config table patch added. Related: CVE-2020-10713 Related: CVE-2020-14308 Related: CVE-2020-14309 Related: CVE-2020-14310 Related: CVE-2020-14311 * Thu Jul 23 2020 Peter Jones - 15-4 - Rebuild for bug fixes and new signing keys Related: CVE-2020-10713 Related: CVE-2020-14308 Related: CVE-2020-14309 Related: CVE-2020-14310 Related: CVE-2020-14311 * Wed Jun 05 2019 Javier Martinez Canillas - 15-3 - Make EFI variable copying fatal only on secureboot enabled systems Resolves: rhbz#1715878 - Fix booting shim from an EFI shell using a relative path Resolves: rhbz#1717064 * Tue Feb 12 2019 Peter Jones - 15-2 - Fix MoK mirroring issue which breaks kdump without intervention Related: rhbz#1668966 * Fri Jul 20 2018 Peter Jones - 15-1 - Update to shim 15 * Tue Sep 19 2017 Peter Jones - 13-3 - Actually update to the *real* 13 final. Related: rhbz#1489604 * Thu Aug 31 2017 Peter Jones - 13-2 - Actually update to 13 final. * Fri Aug 18 2017 Peter Jones - 13-1 - Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one. - This will (eventually) supersede what's in the "shim" package so we can make "shim" hold the signed one, which will confuse fewer people.