245 lines
7.0 KiB
RPMSpec
245 lines
7.0 KiB
RPMSpec
%global pesign_vre 0.106-1
|
|
%global gnuefi_vre 1:3.0.5-6
|
|
%global openssl_vre 1.0.2j
|
|
|
|
%global debug_package %{nil}
|
|
%global __debug_package 1
|
|
%global _binaries_in_noarch_packages_terminate_build 0
|
|
%global __debug_install_post %{SOURCE100} aa64
|
|
%undefine _debuginfo_subpackages
|
|
|
|
%global efidir almalinux
|
|
%global shimrootdir %{_datadir}/shim/
|
|
%global shimversiondir %{shimrootdir}/%{version}-%{release}
|
|
%global efiarch aa64
|
|
%global shimdir %{shimversiondir}/%{efiarch}
|
|
|
|
Name: shim-unsigned-aarch64
|
|
Version: 15.8
|
|
Release: 2.el9.alma.1
|
|
Summary: First-stage UEFI bootloader
|
|
ExclusiveArch: aarch64
|
|
License: BSD
|
|
URL: https://github.com/rhboot/shim
|
|
Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
|
|
# currently here's what's in our dbx:
|
|
# nothing.
|
|
Source2: dbx.esl
|
|
Source3: sbat.almalinux.csv
|
|
Source4: shim.patches
|
|
|
|
Source100: shim-find-debuginfo.sh
|
|
|
|
Source101: almalinux-sb-cert-1.der
|
|
Source102: almalinux-sb-cert-2.der
|
|
Source103: almalinux-sb-cert-3.der
|
|
|
|
%include %{SOURCE4}
|
|
|
|
BuildRequires: gcc make
|
|
BuildRequires: elfutils-libelf-devel
|
|
BuildRequires: git openssl-devel openssl
|
|
BuildRequires: pesign >= %{pesign_vre}
|
|
BuildRequires: dos2unix findutils
|
|
BuildRequires: efitools
|
|
BuildRequires: gcc-toolset-12-binutils
|
|
BuildRequires: gcc-toolset-12-gcc
|
|
|
|
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
|
|
# compatible with SysV (there's no red zone under UEFI) and there isn't a
|
|
# POSIX-style C library.
|
|
# BuildRequires: OpenSSL
|
|
Provides: bundled(openssl) = %{openssl_vre}
|
|
|
|
%global desc \
|
|
Initial UEFI bootloader that handles chaining to a trusted full \
|
|
bootloader under secure boot environments.
|
|
%global debug_desc \
|
|
This package provides debug information for package %{expand:%%{name}} \
|
|
Debug information is useful when developing applications that \
|
|
use this package or when debugging this package.
|
|
|
|
%description
|
|
%desc
|
|
|
|
%package debuginfo
|
|
Summary: Debug information for shim-unsigned-aarch64
|
|
Requires: %{name}-debugsource = %{version}-%{release}
|
|
Group: Development/Debug
|
|
AutoReqProv: 0
|
|
BuildArch: noarch
|
|
|
|
%description debuginfo
|
|
%debug_desc
|
|
|
|
%package debugsource
|
|
Summary: Debug Source for shim-unsigned
|
|
Group: Development/Debug
|
|
AutoReqProv: 0
|
|
BuildArch: noarch
|
|
|
|
%description debugsource
|
|
%debug_desc
|
|
|
|
%prep
|
|
%autosetup -S git_am -n shim-%{version}
|
|
%if 0%{?rhel} == 8 || 0%{?rhel} == 9
|
|
source scl_source enable gcc-toolset-12 || :
|
|
%endif
|
|
git config --unset user.email
|
|
git config --unset user.name
|
|
mkdir build-%{efiarch}
|
|
cp %{SOURCE3} data/
|
|
|
|
%build
|
|
# Prepare vendor_db.esl file
|
|
openssl x509 -inform DER -in %{SOURCE101} -out 01.pem
|
|
openssl x509 -inform DER -in %{SOURCE102} -out 02.pem
|
|
openssl x509 -inform DER -in %{SOURCE103} -out 03.pem
|
|
cert-to-efi-sig-list -g 9DD8A2AC-0977-4AEF-99A0-E794FD2A31FE 01.pem 01.esl
|
|
cert-to-efi-sig-list -g 33D81FE3-5EC0-44F8-AB02-C9DA554F63D8 02.pem 02.esl
|
|
cert-to-efi-sig-list -g 50413300-1AC7-49DA-B755-BB0D93E634B6 03.pem 03.esl
|
|
cat 01.esl 02.esl 03.esl > vendor_db.esl
|
|
|
|
%if 0%{?rhel} == 8 || 0%{?rhel} == 9
|
|
source scl_source enable gcc-toolset-12 || :
|
|
%endif
|
|
|
|
COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
|
|
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
|
|
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
|
|
MAKEFLAGS+="ENABLE_SHIM_HASH=true "
|
|
MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
|
|
MAKEFLAGS+="%{_smp_mflags}"
|
|
if [ -s vendor_db.esl ]; then
|
|
MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl"
|
|
fi
|
|
if [ -s "%{SOURCE2}" ]; then
|
|
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
|
|
fi
|
|
|
|
cd build-%{efiarch}
|
|
make ${MAKEFLAGS} \
|
|
DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \
|
|
all
|
|
cd ..
|
|
|
|
%install
|
|
%if 0%{?rhel} == 8 || 0%{?rhel} == 9
|
|
source scl_source enable gcc-toolset-12 || :
|
|
%endif
|
|
COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
|
|
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
|
|
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
|
|
MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
|
|
MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
|
|
if [ -s vendor_db.esl ]; then
|
|
MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl"
|
|
fi
|
|
if [ -s "%{SOURCE2}" ]; then
|
|
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
|
|
fi
|
|
|
|
cd build-%{efiarch}
|
|
make ${MAKEFLAGS} \
|
|
DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \
|
|
DESTDIR=${RPM_BUILD_ROOT} \
|
|
install-as-data install-debuginfo install-debugsource
|
|
cd ..
|
|
|
|
%files
|
|
%license COPYRIGHT
|
|
%dir %{shimrootdir}
|
|
%dir %{shimversiondir}
|
|
%dir %{shimdir}
|
|
%{shimdir}/*.CSV
|
|
%{shimdir}/*.efi
|
|
%{shimdir}/*.hash
|
|
|
|
|
|
%files debuginfo -f build-%{efiarch}/debugfiles.list
|
|
|
|
%files debugsource -f build-%{efiarch}/debugsource.list
|
|
|
|
%changelog
|
|
* Fri May 10 2024 Eduard Abdullin <eabdullin@almalinux.org> - 15.8-2.el9.alma.1
|
|
- Use AlmaLinux cert
|
|
- Use gcc-toolset-12
|
|
|
|
* Wed Feb 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el9
|
|
- Rebuild to fix the commit ident and MAKEFLAGS
|
|
Resolves: RHEL-11259
|
|
|
|
* Tue Dec 05 2023 Peter Jones <pjones@redhat.com> - 15.8-1.el9
|
|
- Update to shim-15.8 for CVE-2023-40547
|
|
Resolves: RHEL-11259
|
|
|
|
* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el9
|
|
- Update to shim-15.6
|
|
Resolves: CVE-2022-28737
|
|
|
|
* Thu Sep 17 2020 Peter Jones <pjones@redhat.com> - 15-9.el9
|
|
- Fix an incorrect allocation size.
|
|
Related: rhbz#1877253
|
|
|
|
* Thu Jul 30 2020 Peter Jones <pjones@redhat.com> - 15-8
|
|
- Fix a load-address-dependent forever loop.
|
|
Resolves: rhbz#1861977
|
|
Related: CVE-2020-10713
|
|
Related: CVE-2020-14308
|
|
Related: CVE-2020-14309
|
|
Related: CVE-2020-14310
|
|
Related: CVE-2020-14311
|
|
Related: CVE-2020-15705
|
|
Related: CVE-2020-15706
|
|
Related: CVE-2020-15707
|
|
|
|
* Sat Jul 25 2020 Peter Jones <pjones@redhat.com> - 15-7
|
|
- Implement Lenny's workaround
|
|
Related: CVE-2020-10713
|
|
Related: CVE-2020-14308
|
|
Related: CVE-2020-14309
|
|
Related: CVE-2020-14310
|
|
Related: CVE-2020-14311
|
|
|
|
* Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 15-5
|
|
- Once more with the MokListRT config table patch added.
|
|
Related: CVE-2020-10713
|
|
Related: CVE-2020-14308
|
|
Related: CVE-2020-14309
|
|
Related: CVE-2020-14310
|
|
Related: CVE-2020-14311
|
|
|
|
* Thu Jul 23 2020 Peter Jones <pjones@redhat.com> - 15-4
|
|
- Rebuild for bug fixes and new signing keys
|
|
Related: CVE-2020-10713
|
|
Related: CVE-2020-14308
|
|
Related: CVE-2020-14309
|
|
Related: CVE-2020-14310
|
|
Related: CVE-2020-14311
|
|
|
|
* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3
|
|
- Make EFI variable copying fatal only on secureboot enabled systems
|
|
Resolves: rhbz#1715878
|
|
- Fix booting shim from an EFI shell using a relative path
|
|
Resolves: rhbz#1717064
|
|
|
|
* Tue Feb 12 2019 Peter Jones <pjones@redhat.com> - 15-2
|
|
- Fix MoK mirroring issue which breaks kdump without intervention
|
|
Related: rhbz#1668966
|
|
|
|
* Fri Jul 20 2018 Peter Jones <pjones@redhat.com> - 15-1
|
|
- Update to shim 15
|
|
|
|
* Tue Sep 19 2017 Peter Jones <pjones@redhat.com> - 13-3
|
|
- Actually update to the *real* 13 final.
|
|
Related: rhbz#1489604
|
|
|
|
* Thu Aug 31 2017 Peter Jones <pjones@redhat.com> - 13-2
|
|
- Actually update to 13 final.
|
|
|
|
* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-1
|
|
- Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one.
|
|
- This will (eventually) supersede what's in the "shim" package so we can
|
|
make "shim" hold the signed one, which will confuse fewer people.
|