rpms
/
shim-unsigned-x64
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import shim-unsigned-x64-15.5-1.el8

This commit is contained in:
CentOS Sources 2022-05-10 03:21:35 -04:00 committed by Stepan Oksanichenko
parent a4d57b33a0
commit c4b36b74dd
6 changed files with 67 additions and 128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/shim-15.4.tar.bz2 SOURCES/shim-15.5.tar.bz2

2
.shim-unsigned-x64.metadata
View File

@ -1 +1 @@
d70485792a300bfa66f551adf7ae766451dfe7c0 SOURCES/shim-15.4.tar.bz2 b91f5eaced7ba1dcaef266af10763461889be5df SOURCES/shim-15.5.tar.bz2

32
SOURCES/0001-Fix-a-broken-file-header-on-ia32.patch
View File

@ -1,32 +0,0 @@
From 1bea91ba72165d97c3b453cf769cb4bc5c07207a Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 31 Mar 2021 14:54:52 -0400
Subject: [PATCH] Fix a broken file header on ia32
Commit c6281c6a195edee61185 needs to have included a ". = ALIGN(4096)"
directive before .reloc, but fails to do so.
As a result, binutils, which does not care about the actual binary
format's constraints in any way, does not enforce the section alignment,
and it will not load.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
elf_ia32_efi.lds | 1 +
1 file changed, 1 insertion(+)
diff --git a/elf_ia32_efi.lds b/elf_ia32_efi.lds
index 742e0a47a73..497a3a15265 100644
--- a/elf_ia32_efi.lds
+++ b/elf_ia32_efi.lds
@@ -15,6 +15,7 @@ SECTIONS
*(.gnu.linkonce.t.*)
_etext = .;
}
+ . = ALIGN(4096);
.reloc :
{
*(.reloc)
--
2.30.2

2
SOURCES/sbat.redhat.csv
View File

@ -1 +1 @@
shim.redhat,1,Red Hat,shim,15.4-4,secalert@redhat.com shim.redhat,1,Red Hat Inc,shim,15.5,secalert@redhat.com

1 shim.redhat 1 Red Hat Red Hat Inc shim 15.4-4 15.5 secalert@redhat.com

33
SOURCES/shim-find-debuginfo.sh
View File

@ -20,9 +20,9 @@ fi
findsource() findsource()
{ {
( (
cd "${RPM_BUILD_ROOT}" cd ${RPM_BUILD_ROOT}
find usr/src/debug/ -type d | sed -e "s,^,%dir /," | sort -u | tac find usr/src/debug/ -type d | sed "s,^,%dir /,"
find usr/src/debug/ -type f | sed -e "s,^,/," | sort -u | tac find usr/src/debug/ -type f | sed "s,^,/,"
) )
} }
@ -32,12 +32,9 @@ finddebug()
declare -a dirs=() declare -a dirs=()
declare -a files=() declare -a files=()
declare -a excludes=() declare -a excludes=()
declare -a tmp=()
pushd "${RPM_BUILD_ROOT}" >/dev/null 2>&1 pushd ${RPM_BUILD_ROOT} >/dev/null 2>&1
for x in $(find usr/lib/debug/ -type f -iname *.efi.debug); do
mapfile -t tmp < <(find usr/lib/debug/ -type f -iname "*.efi.debug")
for x in "${tmp[@]}" ; do
if ! [ -e "${x}" ]; then if ! [ -e "${x}" ]; then
break break
fi fi
@ -60,10 +57,8 @@ finddebug()
excludes[${#excludes[@]}]=${x%%.debug} excludes[${#excludes[@]}]=${x%%.debug}
fi fi
done done
for x in "${files[@]}" ; do for x in ${files[@]} ; do
declare name declare name=$(dirname /${x})
name=$(dirname "/${x}")
while [ "${name}" != "/" ]; do while [ "${name}" != "/" ]; do
case "${name}" in case "${name}" in
"/usr/lib/debug"|"/usr/lib"|"/usr") "/usr/lib/debug"|"/usr/lib"|"/usr")
@ -72,24 +67,24 @@ finddebug()
dirs[${#dirs[@]}]=${name} dirs[${#dirs[@]}]=${name}
;; ;;
esac esac
name=$(dirname "${name}") name=$(dirname ${name})
done done
done done
popd >/dev/null 2>&1 popd >/dev/null 2>&1
for x in "${dirs[@]}" ; do for x in ${dirs[@]} ; do
echo "%dir ${x}" echo "%dir ${x}"
done | sort | uniq done | sort | uniq
for x in "${files[@]}" ; do for x in ${files[@]} ; do
echo "/${x}" echo "/${x}"
done | sort | uniq done | sort | uniq
for x in "${excludes[@]}" ; do for x in ${excludes[@]} ; do
echo "%exclude /${x}" echo "%exclude /${x}"
done done
} }
findsource > "build-${mainarch}/debugsource.list" findsource > build-${mainarch}/debugsource.list
finddebug "${mainarch}" > "build-${mainarch}/debugfiles.list" finddebug ${mainarch} > build-${mainarch}/debugfiles.list
if [ -v altarch ]; then if [ -v altarch ]; then
finddebug "${altarch}" > "build-${altarch}/debugfiles.list" finddebug ${altarch} > build-${altarch}/debugfiles.list
fi fi

124
SPECS/shim-unsigned-x64.spec
View File

@ -19,8 +19,8 @@
%global dbxfile %{nil} %global dbxfile %{nil}
Name: shim-unsigned-%{efiarch} Name: shim-unsigned-%{efiarch}
Version: 15.4 Version: 15.5
Release: 4%{?dist} Release: 1.el8
Summary: First-stage UEFI bootloader Summary: First-stage UEFI bootloader
ExclusiveArch: x86_64 ExclusiveArch: x86_64
License: BSD License: BSD
@ -34,8 +34,6 @@ Source3: sbat.redhat.csv
Source100: shim-find-debuginfo.sh Source100: shim-find-debuginfo.sh
Patch0001: 0001-Fix-a-broken-file-header-on-ia32.patch
BuildRequires: gcc make BuildRequires: gcc make
BuildRequires: elfutils-libelf-devel BuildRequires: elfutils-libelf-devel
BuildRequires: git openssl-devel openssl BuildRequires: git openssl-devel openssl
@ -68,6 +66,7 @@ Provides: bundled(openssl) = %{openssl_vre}
%package debuginfo %package debuginfo
Summary: Debug information for shim-unsigned-%{efiarch} Summary: Debug information for shim-unsigned-%{efiarch}
Requires: %{name}-debugsource = %{version}-%{release}
Group: Development/Debug Group: Development/Debug
AutoReqProv: 0 AutoReqProv: 0
BuildArch: noarch BuildArch: noarch
@ -78,6 +77,7 @@ BuildArch: noarch
%package -n shim-unsigned-%{efialtarch}-debuginfo %package -n shim-unsigned-%{efialtarch}-debuginfo
Summary: Debug information for shim-unsigned-%{efialtarch} Summary: Debug information for shim-unsigned-%{efialtarch}
Group: Development/Debug Group: Development/Debug
Requires: %{name}-debugsource = %{version}-%{release}
AutoReqProv: 0 AutoReqProv: 0
BuildArch: noarch BuildArch: noarch
@ -107,26 +107,19 @@ MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
MAKEFLAGS+="ENABLE_SHIM_HASH=true " MAKEFLAGS+="ENABLE_SHIM_HASH=true "
MAKEFLAGS+="%{_smp_mflags}" MAKEFLAGS+="%{_smp_mflags}"
if [ -f "%{SOURCE1}" ]; then if [ -s "%{SOURCE1}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
fi fi
%if 0%{?dbxfile} if [ -s "%{SOURCE2}" ]; then
if [ -f "%{SOURCE2}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
fi fi
%endif
cd build-%{efiarch} cd build-%{efiarch}
make ${MAKEFLAGS} \ make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efiarch}.efi' all
DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \
all
cd .. cd ..
cd build-%{efialtarch} cd build-%{efialtarch}
setarch linux32 -B make ${MAKEFLAGS} \ setarch linux32 -B make ${MAKEFLAGS} ARCH=%{efialtarch} DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' all
ARCH=%{efialtarch} \
DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
all
cd .. cd ..
%install %install
@ -134,14 +127,12 @@ COMMITID=$(cat commit)
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
MAKEFLAGS+="ENABLE_SHIM_HASH=true " MAKEFLAGS+="ENABLE_SHIM_HASH=true "
if [ -f "%{SOURCE1}" ]; then if [ -s "%{SOURCE1}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
fi fi
%if 0%{?dbxfile} if [ -s "%{SOURCE2}" ]; then
if [ -f "%{SOURCE2}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
fi fi
%endif
cd build-%{efiarch} cd build-%{efiarch}
make ${MAKEFLAGS} \ make ${MAKEFLAGS} \
@ -151,8 +142,7 @@ make ${MAKEFLAGS} \
cd .. cd ..
cd build-%{efialtarch} cd build-%{efialtarch}
setarch linux32 make ${MAKEFLAGS} \ setarch linux32 make ${MAKEFLAGS} ARCH=%{efialtarch} \
ARCH=%{efialtarch} \
DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \ DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
DESTDIR=${RPM_BUILD_ROOT} \ DESTDIR=${RPM_BUILD_ROOT} \
install-as-data install-debuginfo install-debugsource install-as-data install-debuginfo install-debugsource
@ -183,63 +173,49 @@ cd ..
%files debugsource -f build-%{efiarch}/debugsource.list %files debugsource -f build-%{efiarch}/debugsource.list
%changelog %changelog
* Thu Apr 01 2021 Peter Jones <pjones@redhat.com> - 15.4-4 * Wed Mar 09 2022 Peter Jones <pjones@redhat.com> - 15.5-1.el8
- Fix the sbat data to actually match /this/ product. - Update to shim-15.5
Resolves: CVE-2020-14372 Related: rhbz#1982071
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-3 * Thu Sep 17 2020 Peter Jones <pjones@redhat.com> - 15-9.el8
- Build with the correct certificate trust list for this OS. - Fix an incorrect allocation size.
Resolves: CVE-2020-14372 Related: rhbz#1877253
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-2 * Thu Jul 30 2020 Peter Jones <pjones@redhat.com> - 15-8
- Fix the ia32 build. - Fix a load-address-dependent forever loop.
Resolves: CVE-2020-14372 Resolves: rhbz#1861977
Resolves: CVE-2020-25632 Related: CVE-2020-10713
Resolves: CVE-2020-25647 Related: CVE-2020-14308
Resolves: CVE-2020-27749 Related: CVE-2020-14309
Resolves: CVE-2020-27779 Related: CVE-2020-14310
Resolves: CVE-2021-20225 Related: CVE-2020-14311
Resolves: CVE-2021-20233 Related: CVE-2020-15705
Related: CVE-2020-15706
Related: CVE-2020-15707
* Tue Mar 30 2021 Peter Jones <pjones@redhat.com> - 15.4-1 * Sat Jul 25 2020 Peter Jones <pjones@redhat.com> - 15-7
- Update to shim 15.4 - Implement Lenny's workaround
- Support for revocations via the ".sbat" section and SBAT EFI variable Related: CVE-2020-10713
- A new unit test framework and a bunch of unit tests Related: CVE-2020-14308
- No external gnu-efi dependency Related: CVE-2020-14309
- Better CI Related: CVE-2020-14310
Resolves: CVE-2020-14372 Related: CVE-2020-14311
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Wed Mar 24 2021 Peter Jones <pjones@redhat.com> - 15.3-0~1 * Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 15-5
- Update to shim 15.3 - Once more with the MokListRT config table patch added.
- Support for revocations via the ".sbat" section and SBAT EFI variable Related: CVE-2020-10713
- A new unit test framework and a bunch of unit tests Related: CVE-2020-14308
- No external gnu-efi dependency Related: CVE-2020-14309
- Better CI Related: CVE-2020-14310
Resolves: CVE-2020-14372 Related: CVE-2020-14311
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647 * Thu Jul 23 2020 Peter Jones <pjones@redhat.com> - 15-4
Resolves: CVE-2020-27749 - Rebuild for bug fixes and new signing keys
Resolves: CVE-2020-27779 Related: CVE-2020-10713
Resolves: CVE-2021-20225 Related: CVE-2020-14308
Resolves: CVE-2021-20233 Related: CVE-2020-14309
Related: CVE-2020-14310
Related: CVE-2020-14311
* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3 * Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3
- Make EFI variable copying fatal only on secureboot enabled systems - Make EFI variable copying fatal only on secureboot enabled systems