diff --git a/SOURCES/0001-Fix-a-broken-file-header-on-ia32.patch b/SOURCES/0001-Fix-a-broken-file-header-on-ia32.patch deleted file mode 100644 index 1fbcb33..0000000 --- a/SOURCES/0001-Fix-a-broken-file-header-on-ia32.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 1bea91ba72165d97c3b453cf769cb4bc5c07207a Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 31 Mar 2021 14:54:52 -0400 -Subject: [PATCH] Fix a broken file header on ia32 - -Commit c6281c6a195edee61185 needs to have included a ". = ALIGN(4096)" -directive before .reloc, but fails to do so. - -As a result, binutils, which does not care about the actual binary -format's constraints in any way, does not enforce the section alignment, -and it will not load. - -Signed-off-by: Peter Jones ---- - elf_ia32_efi.lds | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/elf_ia32_efi.lds b/elf_ia32_efi.lds -index 742e0a47a73..497a3a15265 100644 ---- a/elf_ia32_efi.lds -+++ b/elf_ia32_efi.lds -@@ -15,6 +15,7 @@ SECTIONS - *(.gnu.linkonce.t.*) - _etext = .; - } -+ . = ALIGN(4096); - .reloc : - { - *(.reloc) --- -2.30.2 - diff --git a/SOURCES/clsecureboot001.cer b/SOURCES/clsecureboot001.cer new file mode 100644 index 0000000..ca9ce5d Binary files /dev/null and b/SOURCES/clsecureboot001.cer differ diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer deleted file mode 100644 index dfb0284..0000000 Binary files a/SOURCES/redhatsecurebootca5.cer and /dev/null differ diff --git a/SOURCES/sbat.cloudlinux.csv b/SOURCES/sbat.cloudlinux.csv new file mode 100644 index 0000000..606757e --- /dev/null +++ b/SOURCES/sbat.cloudlinux.csv @@ -0,0 +1 @@ +shim.cloudlinux,2,CloudLinux,shim,15.6,security@cloudlinux.com diff --git a/SOURCES/sbat.redhat.csv b/SOURCES/sbat.redhat.csv deleted file mode 100644 index 2135543..0000000 --- a/SOURCES/sbat.redhat.csv +++ /dev/null @@ -1 +0,0 @@ -shim.redhat,1,Red Hat Inc,shim,15.5,secalert@redhat.com diff --git a/SPECS/shim-unsigned-x64.spec b/SPECS/shim-unsigned-x64.spec index 6064d69..feb75a3 100644 --- a/SPECS/shim-unsigned-x64.spec +++ b/SPECS/shim-unsigned-x64.spec @@ -1,7 +1,7 @@ %global pesign_vre 0.106-1 %global openssl_vre 1.0.2j -%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/')) +%global efidir almalinux %global shimrootdir %{_datadir}/shim/ %global shimversiondir %{shimrootdir}/%{version}-%{release} %global efiarch x64 @@ -20,17 +20,17 @@ Name: shim-unsigned-%{efiarch} Version: 15.6 -Release: 1.el9 +Release: 1.el9.alma Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 License: BSD URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 -Source1: redhatsecurebootca5.cer +Source1: clsecureboot001.cer %if 0%{?dbxfile} Source2: %{dbxfile} %endif -Source3: sbat.redhat.csv +Source3: sbat.cloudlinux.csv Source4: shim.patches Source100: shim-find-debuginfo.sh @@ -158,6 +158,9 @@ cd .. %files debugsource -f build-%{efiarch}/debugsource.list %changelog +* Fri Jun 17 2022 Eduard Abdullin - 15.6-1.el9.alma +- Use CloudLinux vendor cert and SBAT entry + * Wed Jun 01 2022 Peter Jones - 15.6-1.el9 - Update to shim-15.6 Resolves: CVE-2022-28737