diff --git a/.gitignore b/.gitignore index 6b84d7a..668482d 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/shim-15.6.tar.bz2 +SOURCES/shim-15.8.tar.bz2 diff --git a/.shim-unsigned-x64.metadata b/.shim-unsigned-x64.metadata index b5fa713..89e9ccb 100644 --- a/.shim-unsigned-x64.metadata +++ b/.shim-unsigned-x64.metadata @@ -1 +1 @@ -3df0ab5cefc74fdf865cb36aea0e923cb4b6b3ed SOURCES/shim-15.6.tar.bz2 +cdec924ca437a4509dcb178396996ddf92c11183 SOURCES/shim-15.8.tar.bz2 diff --git a/SOURCES/almalinux-sb-cert-1.der b/SOURCES/almalinux-sb-cert-1.der new file mode 100644 index 0000000..6a4e99b Binary files /dev/null and b/SOURCES/almalinux-sb-cert-1.der differ diff --git a/SOURCES/almalinux-sb-cert-2.der b/SOURCES/almalinux-sb-cert-2.der new file mode 100644 index 0000000..fad6c2c Binary files /dev/null and b/SOURCES/almalinux-sb-cert-2.der differ diff --git a/SOURCES/almalinux-sb-cert-3.der b/SOURCES/almalinux-sb-cert-3.der new file mode 100644 index 0000000..d086cd5 Binary files /dev/null and b/SOURCES/almalinux-sb-cert-3.der differ diff --git a/SOURCES/sbat.almalinux.csv b/SOURCES/sbat.almalinux.csv index d64c2cf..f2496f1 100644 --- a/SOURCES/sbat.almalinux.csv +++ b/SOURCES/sbat.almalinux.csv @@ -1 +1 @@ -shim.almalinux,2,AlmaLinux,shim,15.6,security@almalinux.org +shim.almalinux,3,AlmaLinux,shim,15.8,security@almalinux.org diff --git a/SOURCES/vendor_db.esl b/SOURCES/vendor_db.esl deleted file mode 100644 index 146fd75..0000000 Binary files a/SOURCES/vendor_db.esl and /dev/null differ diff --git a/SPECS/shim-unsigned-x64.spec b/SPECS/shim-unsigned-x64.spec index 5f9bfd8..3cd02e8 100644 --- a/SPECS/shim-unsigned-x64.spec +++ b/SPECS/shim-unsigned-x64.spec @@ -17,14 +17,13 @@ %global shimaltdir %{shimversiondir}/%{efialtarch} Name: shim-unsigned-%{efiarch} -Version: 15.6 -Release: 1.el8.alma.1 +Version: 15.8 +Release: 2.el8.alma.1 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 License: BSD URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 -Source1: vendor_db.esl # currently here's what's in our dbx: # nothing. Source2: dbx.esl @@ -33,6 +32,10 @@ Source4: shim.patches Source100: shim-find-debuginfo.sh +Source101: almalinux-sb-cert-1.der +Source102: almalinux-sb-cert-2.der +Source103: almalinux-sb-cert-3.der + %include %{SOURCE4} BuildRequires: gcc make @@ -40,6 +43,7 @@ BuildRequires: elfutils-libelf-devel BuildRequires: git openssl-devel openssl BuildRequires: pesign >= %{pesign_vre} BuildRequires: dos2unix findutils +BuildRequires: efitools # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not # compatible with SysV (there's no red zone under UEFI) and there isn't a @@ -103,13 +107,23 @@ mkdir build-%{efialtarch} cp %{SOURCE3} data/ %build -COMMITID=$(cat commit) -MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " +# Prepare vendor_db.esl file +openssl x509 -inform DER -in %{SOURCE101} -out 01.pem +openssl x509 -inform DER -in %{SOURCE102} -out 02.pem +openssl x509 -inform DER -in %{SOURCE103} -out 03.pem +cert-to-efi-sig-list -g 9DD8A2AC-0977-4AEF-99A0-E794FD2A31FE 01.pem 01.esl +cert-to-efi-sig-list -g 33D81FE3-5EC0-44F8-AB02-C9DA554F63D8 02.pem 02.esl +cert-to-efi-sig-list -g 50413300-1AC7-49DA-B755-BB0D93E634B6 03.pem 03.esl +cat 01.esl 02.esl 03.esl > vendor_db.esl + +COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6 +MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_SHIM_HASH=true " +MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " MAKEFLAGS+="%{_smp_mflags}" -if [ -s "%{SOURCE1}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=%{SOURCE1}" +if [ -s vendor_db.esl ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl" fi if [ -s "%{SOURCE2}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" @@ -128,12 +142,13 @@ setarch linux32 -B make ${MAKEFLAGS} ARCH=%{efialtarch} \ cd .. %install -COMMITID=$(cat commit) -MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " +COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6 +MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " -if [ -s "%{SOURCE1}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=%{SOURCE1}" +MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " +if [ -s vendor_db.esl ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl" fi if [ -s "%{SOURCE2}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" @@ -178,8 +193,16 @@ cd .. %files debugsource -f build-%{efiarch}/debugsource.list %changelog -* Mon Jun 20 2022 Andrew Lukoshko - 15.6-1.el8.alma.1 -- Use AlmaLinux cert and SBAT entry +* Tue Mar 26 2024 Eduard Abdullin - 15.8-2.el8.alma.1 +- Update to shim-15.8 + +* Wed Feb 07 2024 Peter Jones - 15.8-2.el8 +- Rebuild to fix the commit ident and MAKEFLAGS + Resolves: RHEL-11259 + +* Tue Dec 05 2023 Peter Jones - 15.8-1.el8 +- Update to shim-15.8 for CVE-2023-40547 + Resolves: RHEL-11259 * Wed Jun 01 2022 Peter Jones - 15.6-1.el8 - Update to shim-15.6