Merge branch 'c8' into a8

This commit is contained in:
eabdullin 2022-06-17 15:37:53 +03:00
commit 05cdfa96b6
8 changed files with 83 additions and 139 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/shim-15.4.tar.bz2
SOURCES/shim-15.6.tar.bz2

View File

@ -1 +1 @@
d70485792a300bfa66f551adf7ae766451dfe7c0 SOURCES/shim-15.4.tar.bz2
3df0ab5cefc74fdf865cb36aea0e923cb4b6b3ed SOURCES/shim-15.6.tar.bz2

View File

@ -1,32 +0,0 @@
From 1bea91ba72165d97c3b453cf769cb4bc5c07207a Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 31 Mar 2021 14:54:52 -0400
Subject: [PATCH] Fix a broken file header on ia32
Commit c6281c6a195edee61185 needs to have included a ". = ALIGN(4096)"
directive before .reloc, but fails to do so.
As a result, binutils, which does not care about the actual binary
format's constraints in any way, does not enforce the section alignment,
and it will not load.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
elf_ia32_efi.lds | 1 +
1 file changed, 1 insertion(+)
diff --git a/elf_ia32_efi.lds b/elf_ia32_efi.lds
index 742e0a47a73..497a3a15265 100644
--- a/elf_ia32_efi.lds
+++ b/elf_ia32_efi.lds
@@ -15,6 +15,7 @@ SECTIONS
*(.gnu.linkonce.t.*)
_etext = .;
}
+ . = ALIGN(4096);
.reloc :
{
*(.reloc)
--
2.30.2

0
SOURCES/dbx.esl Normal file
View File

View File

@ -1 +1 @@
shim.cloudlinux,1,CloudLinux,shim,15.4-4,security@cloudlinux.com
shim.cloudlinux,2,CloudLinux,shim,15.6,security@cloudlinux.com

1 shim.cloudlinux 1 2 CloudLinux shim 15.4-4 15.6 security@cloudlinux.com

View File

@ -20,9 +20,9 @@ fi
findsource()
{
(
cd "${RPM_BUILD_ROOT}"
find usr/src/debug/ -type d | sed -e "s,^,%dir /," | sort -u | tac
find usr/src/debug/ -type f | sed -e "s,^,/," | sort -u | tac
cd ${RPM_BUILD_ROOT}
find usr/src/debug/ -type d | sed "s,^,%dir /,"
find usr/src/debug/ -type f | sed "s,^,/,"
)
}
@ -32,12 +32,9 @@ finddebug()
declare -a dirs=()
declare -a files=()
declare -a excludes=()
declare -a tmp=()
pushd "${RPM_BUILD_ROOT}" >/dev/null 2>&1
mapfile -t tmp < <(find usr/lib/debug/ -type f -iname "*.efi.debug")
for x in "${tmp[@]}" ; do
pushd ${RPM_BUILD_ROOT} >/dev/null 2>&1
for x in $(find usr/lib/debug/ -type f -iname *.efi.debug); do
if ! [ -e "${x}" ]; then
break
fi
@ -60,10 +57,8 @@ finddebug()
excludes[${#excludes[@]}]=${x%%.debug}
fi
done
for x in "${files[@]}" ; do
declare name
name=$(dirname "/${x}")
for x in ${files[@]} ; do
declare name=$(dirname /${x})
while [ "${name}" != "/" ]; do
case "${name}" in
"/usr/lib/debug"|"/usr/lib"|"/usr")
@ -72,24 +67,24 @@ finddebug()
dirs[${#dirs[@]}]=${name}
;;
esac
name=$(dirname "${name}")
name=$(dirname ${name})
done
done
popd >/dev/null 2>&1
for x in "${dirs[@]}" ; do
for x in ${dirs[@]} ; do
echo "%dir ${x}"
done | sort | uniq
for x in "${files[@]}" ; do
for x in ${files[@]} ; do
echo "/${x}"
done | sort | uniq
for x in "${excludes[@]}" ; do
for x in ${excludes[@]} ; do
echo "%exclude /${x}"
done
}
findsource > "build-${mainarch}/debugsource.list"
finddebug "${mainarch}" > "build-${mainarch}/debugfiles.list"
findsource > build-${mainarch}/debugsource.list
finddebug ${mainarch} > build-${mainarch}/debugfiles.list
if [ -v altarch ]; then
finddebug "${altarch}" > "build-${altarch}/debugfiles.list"
finddebug ${altarch} > build-${altarch}/debugfiles.list
fi

0
SOURCES/shim.patches Normal file
View File

View File

@ -1,6 +1,13 @@
%global pesign_vre 0.106-1
%global gnuefi_vre 1:3.0.5-6
%global openssl_vre 1.0.2j
%global debug_package %{nil}
%global __debug_package 1
%global _binaries_in_noarch_packages_terminate_build 0
%global __debug_install_post %{SOURCE100} x64 ia32
%undefine _debuginfo_subpackages
%global efidir almalinux
%global shimrootdir %{_datadir}/shim/
%global shimversiondir %{shimrootdir}/%{version}-%{release}
@ -9,32 +16,24 @@
%global efialtarch ia32
%global shimaltdir %{shimversiondir}/%{efialtarch}
%global debug_package %{nil}
%global __debug_package 1
%global _binaries_in_noarch_packages_terminate_build 0
%global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch}
%undefine _debuginfo_subpackages
# currently here's what's in our dbx: nothing
%global dbxfile %{nil}
Name: shim-unsigned-%{efiarch}
Version: 15.4
Release: 4%{?dist}.alma
Version: 15.6
Release: 1.el8.alma
Summary: First-stage UEFI bootloader
ExclusiveArch: x86_64
License: BSD
URL: https://github.com/rhboot/shim
Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
Source1: clsecureboot001.cer
%if 0%{?dbxfile}
Source2: %{dbxfile}
%endif
# currently here's what's in our dbx:
# nothing.
Source2: dbx.esl
Source3: sbat.cloudlinux.csv
Source4: shim.patches
Source100: shim-find-debuginfo.sh
Patch0001: 0001-Fix-a-broken-file-header-on-ia32.patch
%include %{SOURCE4}
BuildRequires: gcc make
BuildRequires: elfutils-libelf-devel
@ -68,6 +67,7 @@ Provides: bundled(openssl) = %{openssl_vre}
%package debuginfo
Summary: Debug information for shim-unsigned-%{efiarch}
Requires: %{name}-debugsource = %{version}-%{release}
Group: Development/Debug
AutoReqProv: 0
BuildArch: noarch
@ -78,6 +78,7 @@ BuildArch: noarch
%package -n shim-unsigned-%{efialtarch}-debuginfo
Summary: Debug information for shim-unsigned-%{efialtarch}
Group: Development/Debug
Requires: %{name}-debugsource = %{version}-%{release}
AutoReqProv: 0
BuildArch: noarch
@ -94,7 +95,7 @@ BuildArch: noarch
%debug_desc
%prep
%autosetup -S git -n shim-%{version}
%autosetup -S git_am -n shim-%{version}
git config --unset user.email
git config --unset user.name
mkdir build-%{efiarch}
@ -107,14 +108,12 @@ MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
MAKEFLAGS+="ENABLE_SHIM_HASH=true "
MAKEFLAGS+="%{_smp_mflags}"
if [ -f "%{SOURCE1}" ]; then
if [ -s "%{SOURCE1}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
fi
%if 0%{?dbxfile}
if [ -f "%{SOURCE2}" ]; then
if [ -s "%{SOURCE2}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
fi
%endif
cd build-%{efiarch}
make ${MAKEFLAGS} \
@ -123,8 +122,7 @@ make ${MAKEFLAGS} \
cd ..
cd build-%{efialtarch}
setarch linux32 -B make ${MAKEFLAGS} \
ARCH=%{efialtarch} \
setarch linux32 -B make ${MAKEFLAGS} ARCH=%{efialtarch} \
DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
all
cd ..
@ -133,15 +131,13 @@ cd ..
COMMITID=$(cat commit)
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
MAKEFLAGS+="ENABLE_SHIM_HASH=true "
if [ -f "%{SOURCE1}" ]; then
MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
if [ -s "%{SOURCE1}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
fi
%if 0%{?dbxfile}
if [ -f "%{SOURCE2}" ]; then
if [ -s "%{SOURCE2}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
fi
%endif
cd build-%{efiarch}
make ${MAKEFLAGS} \
@ -151,8 +147,7 @@ make ${MAKEFLAGS} \
cd ..
cd build-%{efialtarch}
setarch linux32 make ${MAKEFLAGS} \
ARCH=%{efialtarch} \
setarch linux32 make ${MAKEFLAGS} ARCH=%{efialtarch} \
DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
DESTDIR=${RPM_BUILD_ROOT} \
install-as-data install-debuginfo install-debugsource
@ -163,18 +158,18 @@ cd ..
%dir %{shimrootdir}
%dir %{shimversiondir}
%dir %{shimdir}
%{shimdir}/*.CSV
%{shimdir}/*.efi
%{shimdir}/*.hash
%{shimdir}/*.CSV
%files -n shim-unsigned-%{efialtarch}
%license COPYRIGHT
%dir %{shimrootdir}
%dir %{shimversiondir}
%dir %{shimaltdir}
%{shimaltdir}/*.CSV
%{shimaltdir}/*.efi
%{shimaltdir}/*.hash
%{shimaltdir}/*.CSV
%files debuginfo -f build-%{efiarch}/debugfiles.list
@ -183,66 +178,52 @@ cd ..
%files debugsource -f build-%{efiarch}/debugsource.list
%changelog
* Fri Apr 02 2021 Andrew Lukoshko <alukoshko@almalinux.org> - 15.4-4.alma
* Fri Jun 17 2022 Eduard Abdullin <eabdullin@almalinux.org> - 15.6-1.el8.alma
- Use CloudLinux vendor cert and SBAT entry
* Thu Apr 01 2021 Peter Jones <pjones@redhat.com> - 15.4-4
- Fix the sbat data to actually match /this/ product.
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el8
- Update to shim-15.6
Resolves: CVE-2022-28737
* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-3
- Build with the correct certificate trust list for this OS.
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Thu Sep 17 2020 Peter Jones <pjones@redhat.com> - 15-9.el8
- Fix an incorrect allocation size.
Related: rhbz#1877253
* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-2
- Fix the ia32 build.
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Thu Jul 30 2020 Peter Jones <pjones@redhat.com> - 15-8
- Fix a load-address-dependent forever loop.
Resolves: rhbz#1861977
Related: CVE-2020-10713
Related: CVE-2020-14308
Related: CVE-2020-14309
Related: CVE-2020-14310
Related: CVE-2020-14311
Related: CVE-2020-15705
Related: CVE-2020-15706
Related: CVE-2020-15707
* Tue Mar 30 2021 Peter Jones <pjones@redhat.com> - 15.4-1
- Update to shim 15.4
- Support for revocations via the ".sbat" section and SBAT EFI variable
- A new unit test framework and a bunch of unit tests
- No external gnu-efi dependency
- Better CI
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Sat Jul 25 2020 Peter Jones <pjones@redhat.com> - 15-7
- Implement Lenny's workaround
Related: CVE-2020-10713
Related: CVE-2020-14308
Related: CVE-2020-14309
Related: CVE-2020-14310
Related: CVE-2020-14311
* Wed Mar 24 2021 Peter Jones <pjones@redhat.com> - 15.3-0~1
- Update to shim 15.3
- Support for revocations via the ".sbat" section and SBAT EFI variable
- A new unit test framework and a bunch of unit tests
- No external gnu-efi dependency
- Better CI
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 15-5
- Once more with the MokListRT config table patch added.
Related: CVE-2020-10713
Related: CVE-2020-14308
Related: CVE-2020-14309
Related: CVE-2020-14310
Related: CVE-2020-14311
* Thu Jul 23 2020 Peter Jones <pjones@redhat.com> - 15-4
- Rebuild for bug fixes and new signing keys
Related: CVE-2020-10713
Related: CVE-2020-14308
Related: CVE-2020-14309
Related: CVE-2020-14310
Related: CVE-2020-14311
* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3
- Make EFI variable copying fatal only on secureboot enabled systems