import shim-unsigned-x64-15.5-1.el9

This commit is contained in:
CentOS Sources 2022-05-17 06:47:43 -04:00 committed by Stepan Oksanichenko
commit 5f4f053428
6 changed files with 348 additions and 0 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/shim-15.5.tar.bz2

View File

@ -0,0 +1 @@
b91f5eaced7ba1dcaef266af10763461889be5df SOURCES/shim-15.5.tar.bz2

Binary file not shown.

1
SOURCES/sbat.redhat.csv Normal file
View File

@ -0,0 +1 @@
shim.redhat,1,Red Hat Inc,shim,15.5,secalert@redhat.com
1 shim.redhat 1 Red Hat Inc shim 15.5 secalert@redhat.com

95
SOURCES/shim-find-debuginfo.sh Executable file
View File

@ -0,0 +1,95 @@
#!/bin/bash
#
# shim-find-debuginfo.sh
# Copyright (C) 2017 Peter Jones <Peter Jones@random>
#
# Distributed under terms of the GPLv3 license.
#
set -e
set -u
mainarch=$1 && shift
if [ $# == 1 ]; then
altarch=$1 && shift
fi
if ! [ -v RPM_BUILD_ROOT ]; then
echo "RPM_BUILD_ROOT must be set" 1>&2
exit 1
fi
findsource()
{
(
cd "${RPM_BUILD_ROOT}"
find usr/src/debug/ -type d | sed -e "s,^,%dir /," | sort -u | tac
find usr/src/debug/ -type f | sed -e "s,^,/," | sort -u | tac
)
}
finddebug()
{
arch=$1 && shift
declare -a dirs=()
declare -a files=()
declare -a excludes=()
declare -a tmp=()
pushd "${RPM_BUILD_ROOT}" >/dev/null 2>&1
mapfile -t tmp < <(find usr/lib/debug/ -type f -iname "*.efi.debug")
for x in "${tmp[@]}" ; do
if ! [ -e "${x}" ]; then
break
fi
if [[ ${x} =~ ${arch}\.efi\.debug$ ]]; then
files[${#files[@]}]=${x}
else
excludes[${#excludes[@]}]=${x}
fi
done
for x in usr/lib/debug/.build-id/*/*.debug ; do
if ! [ -e "${x}" ]; then
break
fi
link=$(readlink "${x}")
if [[ ${link} =~ ${arch}\.efi\.debug$ ]]; then
files[${#files[@]}]=${x}
files[${#files[@]}]=${x%%.debug}
else
excludes[${#excludes[@]}]=${x}
excludes[${#excludes[@]}]=${x%%.debug}
fi
done
for x in "${files[@]}" ; do
declare name
name=$(dirname "/${x}")
while [ "${name}" != "/" ]; do
case "${name}" in
"/usr/lib/debug"|"/usr/lib"|"/usr")
;;
*)
dirs[${#dirs[@]}]=${name}
;;
esac
name=$(dirname "${name}")
done
done
popd >/dev/null 2>&1
for x in "${dirs[@]}" ; do
echo "%dir ${x}"
done | sort | uniq
for x in "${files[@]}" ; do
echo "/${x}"
done | sort | uniq
for x in "${excludes[@]}" ; do
echo "%exclude /${x}"
done
}
findsource > "build-${mainarch}/debugsource.list"
finddebug "${mainarch}" > "build-${mainarch}/debugfiles.list"
if [ -v altarch ]; then
finddebug "${altarch}" > "build-${altarch}/debugfiles.list"
fi

View File

@ -0,0 +1,250 @@
%global pesign_vre 0.106-1
%global openssl_vre 1.0.2j
%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
%global shimrootdir %{_datadir}/shim/
%global shimversiondir %{shimrootdir}/%{version}-%{release}
%global efiarch x64
%global shimdir %{shimversiondir}/%{efiarch}
%global efialtarch ia32
%global shimaltdir %{shimversiondir}/%{efialtarch}
%global debug_package %{nil}
%global __debug_package 1
%global _binaries_in_noarch_packages_terminate_build 0
%global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch}
%undefine _debuginfo_subpackages
# currently here's what's in our dbx: nothing
%global dbxfile %{nil}
Name: shim-unsigned-%{efiarch}
Version: 15.5
Release: 1.el9
Summary: First-stage UEFI bootloader
ExclusiveArch: x86_64
License: BSD
URL: https://github.com/rhboot/shim
Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
Source1: redhatsecurebootca5.cer
%if 0%{?dbxfile}
Source2: %{dbxfile}
%endif
Source3: sbat.redhat.csv
Source100: shim-find-debuginfo.sh
BuildRequires: gcc make
BuildRequires: elfutils-libelf-devel
BuildRequires: git openssl-devel openssl
BuildRequires: pesign >= %{pesign_vre}
BuildRequires: dos2unix findutils
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
# compatible with SysV (there's no red zone under UEFI) and there isn't a
# POSIX-style C library.
# BuildRequires: OpenSSL
Provides: bundled(openssl) = %{openssl_vre}
%global desc \
Initial UEFI bootloader that handles chaining to a trusted full \
bootloader under secure boot environments.
%global debug_desc \
This package provides debug information for package %{expand:%%{name}} \
Debug information is useful when developing applications that \
use this package or when debugging this package.
%description
%desc
%package -n shim-unsigned-%{efialtarch}
Summary: First-stage UEFI bootloader (unsigned data)
Provides: bundled(openssl) = %{openssl_vre}
%description -n shim-unsigned-%{efialtarch}
%desc
%package debuginfo
Summary: Debug information for shim-unsigned-%{efiarch}
Group: Development/Debug
AutoReqProv: 0
BuildArch: noarch
%description debuginfo
%debug_desc
%package -n shim-unsigned-%{efialtarch}-debuginfo
Summary: Debug information for shim-unsigned-%{efialtarch}
Group: Development/Debug
AutoReqProv: 0
BuildArch: noarch
%description -n shim-unsigned-%{efialtarch}-debuginfo
%debug_desc
%package debugsource
Summary: Debug Source for shim-unsigned
Group: Development/Debug
AutoReqProv: 0
BuildArch: noarch
%description debugsource
%debug_desc
%prep
%autosetup -S git -n shim-%{version}
git config --unset user.email
git config --unset user.name
mkdir build-%{efiarch}
mkdir build-%{efialtarch}
cp %{SOURCE3} data/
%build
COMMITID=$(cat commit)
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
MAKEFLAGS+="ENABLE_SHIM_HASH=true "
MAKEFLAGS+="%{_smp_mflags}"
if [ -f "%{SOURCE1}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
fi
%if 0%{?dbxfile}
if [ -f "%{SOURCE2}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
fi
%endif
cd build-%{efiarch}
make ${MAKEFLAGS} \
DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \
all
cd ..
%install
COMMITID=$(cat commit)
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
MAKEFLAGS+="ENABLE_SHIM_HASH=true "
if [ -f "%{SOURCE1}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
fi
%if 0%{?dbxfile}
if [ -f "%{SOURCE2}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
fi
%endif
cd build-%{efiarch}
make ${MAKEFLAGS} \
DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \
DESTDIR=${RPM_BUILD_ROOT} \
install-as-data install-debuginfo install-debugsource
cd ..
%files
%license COPYRIGHT
%dir %{shimrootdir}
%dir %{shimversiondir}
%dir %{shimdir}
%{shimdir}/*.efi
%{shimdir}/*.hash
%{shimdir}/*.CSV
%files debuginfo -f build-%{efiarch}/debugfiles.list
%files debugsource -f build-%{efiarch}/debugsource.list
%changelog
* Wed Mar 09 2022 Peter Jones <pjones@redhat.com> - 15.5-1
- Update to shim-15.5
Related: rhbz#1932057
* Thu Apr 01 2021 Peter Jones <pjones@redhat.com> - 15.4-4
- Fix the sbat data to actually match /this/ product.
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-3
- Build with the correct certificate trust list for this OS.
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-2
- Fix the ia32 build.
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Tue Mar 30 2021 Peter Jones <pjones@redhat.com> - 15.4-1
- Update to shim 15.4
- Support for revocations via the ".sbat" section and SBAT EFI variable
- A new unit test framework and a bunch of unit tests
- No external gnu-efi dependency
- Better CI
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Wed Mar 24 2021 Peter Jones <pjones@redhat.com> - 15.3-0~1
- Update to shim 15.3
- Support for revocations via the ".sbat" section and SBAT EFI variable
- A new unit test framework and a bunch of unit tests
- No external gnu-efi dependency
- Better CI
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3
- Make EFI variable copying fatal only on secureboot enabled systems
Resolves: rhbz#1715878
- Fix booting shim from an EFI shell using a relative path
Resolves: rhbz#1717064
* Tue Feb 12 2019 Peter Jones <pjones@redhat.com> - 15-2
- Fix MoK mirroring issue which breaks kdump without intervention
Related: rhbz#1668966
* Thu Apr 05 2018 Peter Jones <pjones@redhat.com> - 15-1
- Update to shim 15
- better checking for bad linker output
- flicker-free console if there's no error output
- improved http boot support
- better protocol re-installation
- dhcp proxy support
- tpm measurement even when verification is disabled
- REQUIRE_TPM build flag
- more reproducable builds
- measurement of everything verified through shim_verify()
- coverity and scan-build checker make targets
- misc cleanups
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 13-0.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-0.1
- Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one.
- This will (eventually) supersede what's in the "shim" package so we can
make "shim" hold the signed one, which will confuse fewer people.