diff --git a/redhatsecureboot502.cer b/redhatsecureboot502.cer deleted file mode 100644 index be0b5e2..0000000 Binary files a/redhatsecureboot502.cer and /dev/null differ diff --git a/redhatsecurebootca5.cer b/redhatsecurebootca5.cer deleted file mode 100644 index dfb0284..0000000 Binary files a/redhatsecurebootca5.cer and /dev/null differ diff --git a/sbat.centos.csv b/sbat.centos.csv new file mode 100644 index 0000000..23fbdf3 --- /dev/null +++ b/sbat.centos.csv @@ -0,0 +1 @@ +shim.centos,3,The CentOS Project,shim,15.8,security@centos.org diff --git a/sbat.redhat.csv b/sbat.redhat.csv deleted file mode 100644 index 2135543..0000000 --- a/sbat.redhat.csv +++ /dev/null @@ -1 +0,0 @@ -shim.redhat,1,Red Hat Inc,shim,15.5,secalert@redhat.com diff --git a/shim-unsigned-x64.spec b/shim-unsigned-x64.spec index 6064d69..da20eb7 100644 --- a/shim-unsigned-x64.spec +++ b/shim-unsigned-x64.spec @@ -19,18 +19,17 @@ %global dbxfile %{nil} Name: shim-unsigned-%{efiarch} -Version: 15.6 -Release: 1.el9 +Version: 15.8 +Release: 1.el9.centos Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 License: BSD URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 -Source1: redhatsecurebootca5.cer %if 0%{?dbxfile} Source2: %{dbxfile} %endif -Source3: sbat.redhat.csv +Source3: sbat.centos.csv Source4: shim.patches Source100: shim-find-debuginfo.sh @@ -42,6 +41,7 @@ BuildRequires: elfutils-libelf-devel BuildRequires: git openssl-devel openssl BuildRequires: pesign >= %{pesign_vre} BuildRequires: dos2unix findutils +BuildRequires: system-sb-certs # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not # compatible with SysV (there's no red zone under UEFI) and there isn't a @@ -107,9 +107,10 @@ COMMITID=$(cat commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_SHIM_HASH=true " +MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " MAKEFLAGS+="%{_smp_mflags}" -if [ -f "%{SOURCE1}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" +if [ -f "/etc/pki/sb-certs/secureboot-ca-x86_64.cer" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=/etc/pki/sb-certs/secureboot-ca-x86_64.cer" fi %if 0%{?dbxfile} if [ -f "%{SOURCE2}" ]; then @@ -128,8 +129,9 @@ COMMITID=$(cat commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_SHIM_HASH=true " -if [ -f "%{SOURCE1}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" +MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " +if [ -f "/etc/pki/sb-certs/secureboot-ca-x86_64.cer" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=/etc/pki/sb-certs/secureboot-ca-x86_64.cer" fi %if 0%{?dbxfile} if [ -f "%{SOURCE2}" ]; then @@ -158,6 +160,10 @@ cd .. %files debugsource -f build-%{efiarch}/debugsource.list %changelog +* Thu Feb 08 2024 Brian Stinson - 15.8-1.el9.centos +- Update to shim-15.8 + Resolves: RHEL-4391 + * Wed Jun 01 2022 Peter Jones - 15.6-1.el9 - Update to shim-15.6 Resolves: CVE-2022-28737 diff --git a/sources b/sources index bcb0302..5428b75 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (shim-15.6.tar.bz2) = ddc5d5234851d05ed7124ad748ad3fee2df8a335493948a045653322c873f3f055d34894aeb2ac7495086984ca62183907d341e46e6bdf108856e39c646455fc +SHA512 (shim-15.8.tar.bz2) = 30b3390ae935121ea6fe728d8f59d37ded7b918ad81bea06e213464298b4bdabbca881b30817965bd397facc596db1ad0b8462a84c87896ce6c1204b19371cd1