Update shim to 15.8 for CentOS Stream 9

Resolves: RHEL-4391 Signed-off-by: Brian Stinson <bstinson@redhat.com>
2024-02-11 14:34:14 -06:00 · 2024-02-11 14:34:14 -06:00 · d4af647090
commit d4af647090
parent 3b90d8001a
6 changed files with 16 additions and 10 deletions
--- a/redhatsecureboot502.cer
+++ b/redhatsecureboot502.cer
--- a/redhatsecurebootca5.cer
+++ b/redhatsecurebootca5.cer
--- a/sbat.centos.csv
+++ b/sbat.centos.csv
@ -0,0 +1 @@
+shim.centos,3,The CentOS Project,shim,15.8,security@centos.org
--- a/sbat.redhat.csv
+++ b/sbat.redhat.csv
@ -1 +0,0 @@
-shim.redhat,1,Red Hat Inc,shim,15.5,secalert@redhat.com
--- a/shim-unsigned-x64.spec
+++ b/shim-unsigned-x64.spec
@ -19,18 +19,17 @@
 %global dbxfile %{nil}

 Name:		shim-unsigned-%{efiarch}
-Version:	15.6
-Release:	1.el9
+Version:	15.8
+Release:	1.el9.centos
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	x86_64
 License:	BSD
 URL:		https://github.com/rhboot/shim
 Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
-Source1:	redhatsecurebootca5.cer
 %if 0%{?dbxfile}
 Source2:	%{dbxfile}
 %endif
-Source3:	sbat.redhat.csv
+Source3:	sbat.centos.csv
 Source4:	shim.patches

 Source100:	shim-find-debuginfo.sh
@ -42,6 +41,7 @@ BuildRequires:	elfutils-libelf-devel
 BuildRequires:	git openssl-devel openssl
 BuildRequires:	pesign >= %{pesign_vre}
 BuildRequires:	dos2unix findutils
+BuildRequires:  system-sb-certs

 # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
 # compatible with SysV (there's no red zone under UEFI) and there isn't a
@ -107,9 +107,10 @@ COMMITID=$(cat commit)
 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_SHIM_HASH=true "
+MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
 MAKEFLAGS+="%{_smp_mflags}"
-if [ -f "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+if [ -f "/etc/pki/sb-certs/secureboot-ca-x86_64.cer" ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=/etc/pki/sb-certs/secureboot-ca-x86_64.cer"
 fi
 %if 0%{?dbxfile}
 if [ -f "%{SOURCE2}" ]; then
@ -128,8 +129,9 @@ COMMITID=$(cat commit)
 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_SHIM_HASH=true "
-if [ -f "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
+if [ -f "/etc/pki/sb-certs/secureboot-ca-x86_64.cer" ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=/etc/pki/sb-certs/secureboot-ca-x86_64.cer"
 fi
 %if 0%{?dbxfile}
 if [ -f "%{SOURCE2}" ]; then
@ -158,6 +160,10 @@ cd ..
 %files debugsource -f build-%{efiarch}/debugsource.list

 %changelog
+* Thu Feb 08 2024 Brian Stinson <bstinson@redhat.com> - 15.8-1.el9.centos
+- Update to shim-15.8
+  Resolves: RHEL-4391
+
 * Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el9
 - Update to shim-15.6
  Resolves: CVE-2022-28737
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (shim-15.6.tar.bz2) = ddc5d5234851d05ed7124ad748ad3fee2df8a335493948a045653322c873f3f055d34894aeb2ac7495086984ca62183907d341e46e6bdf108856e39c646455fc
+SHA512 (shim-15.8.tar.bz2) = 30b3390ae935121ea6fe728d8f59d37ded7b918ad81bea06e213464298b4bdabbca881b30817965bd397facc596db1ad0b8462a84c87896ce6c1204b19371cd1
				`@ -0,0 +1 @@`
				`shim.centos,3,The CentOS Project,shim,15.8,security@centos.org`
				`@ -1 +0,0 @@`
				`shim.redhat,1,Red Hat Inc,shim,15.5,secalert@redhat.com`