diff --git a/.gitignore b/.gitignore index 668482d..40c85b5 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -SOURCES/shim-15.8.tar.bz2 +SOURCES/shim-15.6.tar.bz2 +SOURCES/vendor_db.esl diff --git a/.shim-unsigned-x64.metadata b/.shim-unsigned-x64.metadata index 89e9ccb..32d8426 100644 --- a/.shim-unsigned-x64.metadata +++ b/.shim-unsigned-x64.metadata @@ -1 +1,2 @@ -cdec924ca437a4509dcb178396996ddf92c11183 SOURCES/shim-15.8.tar.bz2 +3df0ab5cefc74fdf865cb36aea0e923cb4b6b3ed SOURCES/shim-15.6.tar.bz2 +f6bee13a25ff2a939d20965d7c192f871908c158 SOURCES/vendor_db.esl diff --git a/SOURCES/almalinux-sb-cert-1.der b/SOURCES/almalinux-sb-cert-1.der deleted file mode 100644 index 6a4e99b..0000000 Binary files a/SOURCES/almalinux-sb-cert-1.der and /dev/null differ diff --git a/SOURCES/almalinux-sb-cert-2.der b/SOURCES/almalinux-sb-cert-2.der deleted file mode 100644 index fad6c2c..0000000 Binary files a/SOURCES/almalinux-sb-cert-2.der and /dev/null differ diff --git a/SOURCES/almalinux-sb-cert-3.der b/SOURCES/almalinux-sb-cert-3.der deleted file mode 100644 index d086cd5..0000000 Binary files a/SOURCES/almalinux-sb-cert-3.der and /dev/null differ diff --git a/SOURCES/dbx.esl b/SOURCES/dbx.esl deleted file mode 100644 index e69de29..0000000 diff --git a/SOURCES/sbat.almalinux.csv b/SOURCES/sbat.almalinux.csv index f2496f1..d64c2cf 100644 --- a/SOURCES/sbat.almalinux.csv +++ b/SOURCES/sbat.almalinux.csv @@ -1 +1 @@ -shim.almalinux,3,AlmaLinux,shim,15.8,security@almalinux.org +shim.almalinux,2,AlmaLinux,shim,15.6,security@almalinux.org diff --git a/SOURCES/shim-find-debuginfo.sh b/SOURCES/shim-find-debuginfo.sh index 7e882ff..d656fc9 100755 --- a/SOURCES/shim-find-debuginfo.sh +++ b/SOURCES/shim-find-debuginfo.sh @@ -20,9 +20,9 @@ fi findsource() { ( - cd ${RPM_BUILD_ROOT} - find usr/src/debug/ -type d | sed "s,^,%dir /," - find usr/src/debug/ -type f | sed "s,^,/," + cd "${RPM_BUILD_ROOT}" + find usr/src/debug/ -type d | sed -e "s,^,%dir /," | sort -u | tac + find usr/src/debug/ -type f | sed -e "s,^,/," | sort -u | tac ) } @@ -32,9 +32,12 @@ finddebug() declare -a dirs=() declare -a files=() declare -a excludes=() + declare -a tmp=() - pushd ${RPM_BUILD_ROOT} >/dev/null 2>&1 - for x in $(find usr/lib/debug/ -type f -iname *.efi.debug); do + pushd "${RPM_BUILD_ROOT}" >/dev/null 2>&1 + + mapfile -t tmp < <(find usr/lib/debug/ -type f -iname "*.efi.debug") + for x in "${tmp[@]}" ; do if ! [ -e "${x}" ]; then break fi @@ -57,8 +60,10 @@ finddebug() excludes[${#excludes[@]}]=${x%%.debug} fi done - for x in ${files[@]} ; do - declare name=$(dirname /${x}) + for x in "${files[@]}" ; do + declare name + + name=$(dirname "/${x}") while [ "${name}" != "/" ]; do case "${name}" in "/usr/lib/debug"|"/usr/lib"|"/usr") @@ -67,24 +72,24 @@ finddebug() dirs[${#dirs[@]}]=${name} ;; esac - name=$(dirname ${name}) + name=$(dirname "${name}") done done popd >/dev/null 2>&1 - for x in ${dirs[@]} ; do + for x in "${dirs[@]}" ; do echo "%dir ${x}" done | sort | uniq - for x in ${files[@]} ; do + for x in "${files[@]}" ; do echo "/${x}" done | sort | uniq - for x in ${excludes[@]} ; do + for x in "${excludes[@]}" ; do echo "%exclude /${x}" done } -findsource > build-${mainarch}/debugsource.list -finddebug ${mainarch} > build-${mainarch}/debugfiles.list +findsource > "build-${mainarch}/debugsource.list" +finddebug "${mainarch}" > "build-${mainarch}/debugfiles.list" if [ -v altarch ]; then - finddebug ${altarch} > build-${altarch}/debugfiles.list + finddebug "${altarch}" > "build-${altarch}/debugfiles.list" fi diff --git a/SPECS/shim-unsigned-x64.spec b/SPECS/shim-unsigned-x64.spec index 863475d..caf9cfa 100644 --- a/SPECS/shim-unsigned-x64.spec +++ b/SPECS/shim-unsigned-x64.spec @@ -15,26 +15,26 @@ %global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch} %undefine _debuginfo_subpackages +# currently here's what's in our dbx: nothing +%global dbxfile %{nil} + Name: shim-unsigned-%{efiarch} -Version: 15.8 -Release: 2.el9.alma.1 +Version: 15.6 +Release: 1.el9.alma.1 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 License: BSD URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 -# currently here's what's in our dbx: -# nothing. -Source2: dbx.esl +Source1: vendor_db.esl +%if 0%{?dbxfile} +Source2: %{dbxfile} +%endif Source3: sbat.almalinux.csv Source4: shim.patches Source100: shim-find-debuginfo.sh -Source101: almalinux-sb-cert-1.der -Source102: almalinux-sb-cert-2.der -Source103: almalinux-sb-cert-3.der - %include %{SOURCE4} BuildRequires: gcc make @@ -103,27 +103,19 @@ mkdir build-%{efialtarch} cp %{SOURCE3} data/ %build -# Prepare vendor_db.esl file -openssl x509 -inform DER -in %{SOURCE101} -out 01.pem -openssl x509 -inform DER -in %{SOURCE102} -out 02.pem -openssl x509 -inform DER -in %{SOURCE103} -out 03.pem -cert-to-efi-sig-list -g 9DD8A2AC-0977-4AEF-99A0-E794FD2A31FE 01.pem 01.esl -cert-to-efi-sig-list -g 33D81FE3-5EC0-44F8-AB02-C9DA554F63D8 02.pem 02.esl -cert-to-efi-sig-list -g 50413300-1AC7-49DA-B755-BB0D93E634B6 03.pem 03.esl -cat 01.esl 02.esl 03.esl > vendor_db.esl - -COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6 -MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} " +COMMITID=$(cat commit) +MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_SHIM_HASH=true " -MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " MAKEFLAGS+="%{_smp_mflags}" -if [ -s vendor_db.esl ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl" +if [ -f "%{SOURCE1}" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=%{SOURCE1}" fi -if [ -s "%{SOURCE2}" ]; then +%if 0%{?dbxfile} +if [ -f "%{SOURCE2}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" fi +%endif cd build-%{efiarch} make ${MAKEFLAGS} \ @@ -132,17 +124,18 @@ make ${MAKEFLAGS} \ cd .. %install -COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6 -MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} " +COMMITID=$(cat commit) +MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_SHIM_HASH=true " -MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " -if [ -s vendor_db.esl ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl" +if [ -f "%{SOURCE1}" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=%{SOURCE1}" fi -if [ -s "%{SOURCE2}" ]; then +%if 0%{?dbxfile} +if [ -f "%{SOURCE2}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" fi +%endif cd build-%{efiarch} make ${MAKEFLAGS} \ @@ -156,31 +149,21 @@ cd .. %dir %{shimrootdir} %dir %{shimversiondir} %dir %{shimdir} -%{shimdir}/*.CSV %{shimdir}/*.efi %{shimdir}/*.hash +%{shimdir}/*.CSV %files debuginfo -f build-%{efiarch}/debugfiles.list %files debugsource -f build-%{efiarch}/debugsource.list %changelog -* Tue Mar 26 2024 Eduard Abdullin - 15.8-2.el9.alma.1 -- Update to shim-15.8 - -* Wed Feb 07 2024 Peter Jones - 15.8-2.el9 -- Rebuild to fix the commit ident and MAKEFLAGS - Resolves: RHEL-11262 - -* Tue Jan 23 2024 Peter Jones - 15.8-1.el9 -- Update to shim-15.8 for CVE-2023-40547 - Resolves: RHEL-11262 +* Thu Mar 09 2023 Eduard Abdullin - 15.6-1.el9.alma.1 +- Use AlmaLinux vendor cert and SBAT entry * Wed Jun 01 2022 Peter Jones - 15.6-1.el9 -- Update to shim-15.6 for CVE-2022-28737 - -* Tue May 24 2022 Peter Jones - 15.6~rc1-1.el9 -- Update to shim-15.6~rc1 for CVE-2022-28737 +- Update to shim-15.6 + Resolves: CVE-2022-28737 * Wed Mar 09 2022 Peter Jones - 15.5-1 - Update to shim-15.5