shim-unsigned-x64/SPECS/shim-unsigned-x64.spec

278 lines
8.3 KiB
RPMSpec
Raw Normal View History

2019-05-07 03:59:23 +00:00
%global pesign_vre 0.106-1
%global openssl_vre 1.0.2j
2022-06-17 13:15:44 +00:00
%global efidir almalinux
2019-05-07 03:59:23 +00:00
%global shimrootdir %{_datadir}/shim/
%global shimversiondir %{shimrootdir}/%{version}-%{release}
%global efiarch x64
%global shimdir %{shimversiondir}/%{efiarch}
%global efialtarch ia32
%global shimaltdir %{shimversiondir}/%{efialtarch}
2021-05-18 06:47:54 +00:00
%global debug_package %{nil}
%global __debug_package 1
%global _binaries_in_noarch_packages_terminate_build 0
%global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch}
%undefine _debuginfo_subpackages
2019-05-07 03:59:23 +00:00
Name: shim-unsigned-%{efiarch}
2024-05-10 13:15:25 +00:00
Version: 15.8
Release: 2.el9.alma.1
2019-05-07 03:59:23 +00:00
Summary: First-stage UEFI bootloader
ExclusiveArch: x86_64
License: BSD
URL: https://github.com/rhboot/shim
Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
2024-05-10 13:15:25 +00:00
# currently here's what's in our dbx:
# nothing.
Source2: dbx.esl
Source3: sbat.almalinux.csv
2022-06-16 13:19:17 +00:00
Source4: shim.patches
2019-05-07 03:59:23 +00:00
Source100: shim-find-debuginfo.sh
2024-05-10 13:15:25 +00:00
Source101: almalinux-sb-cert-1.der
Source102: almalinux-sb-cert-2.der
Source103: almalinux-sb-cert-3.der
2022-06-16 13:19:17 +00:00
%include %{SOURCE4}
2021-05-18 06:47:54 +00:00
BuildRequires: gcc make
2019-05-07 03:59:23 +00:00
BuildRequires: elfutils-libelf-devel
BuildRequires: git openssl-devel openssl
BuildRequires: pesign >= %{pesign_vre}
2021-05-18 06:47:54 +00:00
BuildRequires: dos2unix findutils
2019-05-07 03:59:23 +00:00
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
# compatible with SysV (there's no red zone under UEFI) and there isn't a
# POSIX-style C library.
# BuildRequires: OpenSSL
Provides: bundled(openssl) = %{openssl_vre}
%global desc \
Initial UEFI bootloader that handles chaining to a trusted full \
bootloader under secure boot environments.
%global debug_desc \
This package provides debug information for package %{expand:%%{name}} \
Debug information is useful when developing applications that \
use this package or when debugging this package.
%description
%desc
%package -n shim-unsigned-%{efialtarch}
Summary: First-stage UEFI bootloader (unsigned data)
Provides: bundled(openssl) = %{openssl_vre}
%description -n shim-unsigned-%{efialtarch}
%desc
%package debuginfo
Summary: Debug information for shim-unsigned-%{efiarch}
Group: Development/Debug
AutoReqProv: 0
BuildArch: noarch
%description debuginfo
%debug_desc
%package -n shim-unsigned-%{efialtarch}-debuginfo
Summary: Debug information for shim-unsigned-%{efialtarch}
Group: Development/Debug
AutoReqProv: 0
BuildArch: noarch
%description -n shim-unsigned-%{efialtarch}-debuginfo
%debug_desc
%package debugsource
Summary: Debug Source for shim-unsigned
Group: Development/Debug
AutoReqProv: 0
BuildArch: noarch
%description debugsource
%debug_desc
%prep
2022-06-16 13:19:17 +00:00
%autosetup -S git_am -n shim-%{version}
2019-05-07 03:59:23 +00:00
git config --unset user.email
git config --unset user.name
mkdir build-%{efiarch}
mkdir build-%{efialtarch}
2021-05-18 06:47:54 +00:00
cp %{SOURCE3} data/
2019-05-07 03:59:23 +00:00
%build
2024-05-10 13:15:25 +00:00
# Prepare vendor_db.esl file
openssl x509 -inform DER -in %{SOURCE101} -out 01.pem
openssl x509 -inform DER -in %{SOURCE102} -out 02.pem
openssl x509 -inform DER -in %{SOURCE103} -out 03.pem
cert-to-efi-sig-list -g 9DD8A2AC-0977-4AEF-99A0-E794FD2A31FE 01.pem 01.esl
cert-to-efi-sig-list -g 33D81FE3-5EC0-44F8-AB02-C9DA554F63D8 02.pem 02.esl
cert-to-efi-sig-list -g 50413300-1AC7-49DA-B755-BB0D93E634B6 03.pem 03.esl
cat 01.esl 02.esl 03.esl > vendor_db.esl
COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
2019-05-07 03:59:23 +00:00
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
2021-05-18 06:47:54 +00:00
MAKEFLAGS+="ENABLE_SHIM_HASH=true "
2024-05-10 13:15:25 +00:00
MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
2019-05-07 03:59:23 +00:00
MAKEFLAGS+="%{_smp_mflags}"
2024-05-10 13:15:25 +00:00
if [ -s vendor_db.esl ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl"
2019-05-07 03:59:23 +00:00
fi
2024-05-10 13:15:25 +00:00
if [ -s "%{SOURCE2}" ]; then
2019-05-07 03:59:23 +00:00
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
fi
cd build-%{efiarch}
2021-05-18 06:47:54 +00:00
make ${MAKEFLAGS} \
DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \
all
2019-05-07 03:59:23 +00:00
cd ..
%install
2024-05-10 13:15:25 +00:00
COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
2019-05-07 03:59:23 +00:00
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
2021-05-18 06:47:54 +00:00
MAKEFLAGS+="ENABLE_SHIM_HASH=true "
2024-05-10 13:15:25 +00:00
MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
if [ -s vendor_db.esl ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl"
2019-05-07 03:59:23 +00:00
fi
2024-05-10 13:15:25 +00:00
if [ -s "%{SOURCE2}" ]; then
2019-05-07 03:59:23 +00:00
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
fi
cd build-%{efiarch}
make ${MAKEFLAGS} \
DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \
DESTDIR=${RPM_BUILD_ROOT} \
install-as-data install-debuginfo install-debugsource
cd ..
%files
%license COPYRIGHT
%dir %{shimrootdir}
%dir %{shimversiondir}
%dir %{shimdir}
2024-05-10 13:15:25 +00:00
%{shimdir}/*.CSV
2019-05-07 03:59:23 +00:00
%{shimdir}/*.efi
%{shimdir}/*.hash
%files debuginfo -f build-%{efiarch}/debugfiles.list
%files debugsource -f build-%{efiarch}/debugsource.list
%changelog
2024-05-10 13:15:25 +00:00
* Tue Mar 26 2024 Eduard Abdullin <eabdullin@almalinux.org> - 15.8-2.el9.alma.1
- Update to shim-15.8
* Wed Feb 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el9
- Rebuild to fix the commit ident and MAKEFLAGS
Resolves: RHEL-11262
* Tue Jan 23 2024 Peter Jones <pjones@redhat.com> - 15.8-1.el9
- Update to shim-15.8 for CVE-2023-40547
Resolves: RHEL-11262
2022-06-17 13:15:44 +00:00
2022-06-16 13:19:17 +00:00
* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el9
2024-05-10 13:15:25 +00:00
- Update to shim-15.6 for CVE-2022-28737
* Tue May 24 2022 Peter Jones <pjones@redhat.com> - 15.6~rc1-1.el9
- Update to shim-15.6~rc1 for CVE-2022-28737
2022-06-16 13:19:17 +00:00
2022-05-17 10:47:43 +00:00
* Wed Mar 09 2022 Peter Jones <pjones@redhat.com> - 15.5-1
- Update to shim-15.5
Related: rhbz#1932057
2021-09-15 11:46:22 +00:00
2021-05-18 06:47:54 +00:00
* Thu Apr 01 2021 Peter Jones <pjones@redhat.com> - 15.4-4
- Fix the sbat data to actually match /this/ product.
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-3
- Build with the correct certificate trust list for this OS.
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-2
- Fix the ia32 build.
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Tue Mar 30 2021 Peter Jones <pjones@redhat.com> - 15.4-1
- Update to shim 15.4
- Support for revocations via the ".sbat" section and SBAT EFI variable
- A new unit test framework and a bunch of unit tests
- No external gnu-efi dependency
- Better CI
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Wed Mar 24 2021 Peter Jones <pjones@redhat.com> - 15.3-0~1
- Update to shim 15.3
- Support for revocations via the ".sbat" section and SBAT EFI variable
- A new unit test framework and a bunch of unit tests
- No external gnu-efi dependency
- Better CI
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
2020-07-29 17:16:37 +00:00
* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3
- Make EFI variable copying fatal only on secureboot enabled systems
Resolves: rhbz#1715878
- Fix booting shim from an EFI shell using a relative path
Resolves: rhbz#1717064
2019-05-07 03:59:23 +00:00
* Tue Feb 12 2019 Peter Jones <pjones@redhat.com> - 15-2
- Fix MoK mirroring issue which breaks kdump without intervention
Related: rhbz#1668966
2022-05-17 10:47:43 +00:00
* Thu Apr 05 2018 Peter Jones <pjones@redhat.com> - 15-1
2019-05-07 03:59:23 +00:00
- Update to shim 15
2022-05-17 10:47:43 +00:00
- better checking for bad linker output
- flicker-free console if there's no error output
- improved http boot support
- better protocol re-installation
- dhcp proxy support
- tpm measurement even when verification is disabled
- REQUIRE_TPM build flag
- more reproducable builds
- measurement of everything verified through shim_verify()
- coverity and scan-build checker make targets
- misc cleanups
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 13-0.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-0.1
2019-05-07 03:59:23 +00:00
- Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one.
- This will (eventually) supersede what's in the "shim" package so we can
make "shim" hold the signed one, which will confuse fewer people.