From d4af6470909fca24b647d2a30498ede37c852826 Mon Sep 17 00:00:00 2001 From: Brian Stinson Date: Sun, 11 Feb 2024 14:34:14 -0600 Subject: [PATCH] Update shim to 15.8 for CentOS Stream 9 Resolves: RHEL-4391 Signed-off-by: Brian Stinson --- redhatsecureboot502.cer | Bin 964 -> 0 bytes redhatsecurebootca5.cer | Bin 920 -> 0 bytes sbat.centos.csv | 1 + sbat.redhat.csv | 1 - shim-unsigned-x64.spec | 22 ++++++++++++++-------- sources | 2 +- 6 files changed, 16 insertions(+), 10 deletions(-) delete mode 100644 redhatsecureboot502.cer delete mode 100644 redhatsecurebootca5.cer create mode 100644 sbat.centos.csv delete mode 100644 sbat.redhat.csv diff --git a/redhatsecureboot502.cer b/redhatsecureboot502.cer deleted file mode 100644 index be0b5e211ccf8ad7ba74c88841c921cfdbad5a70..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 964 zcmXqLVm@Hd#I#}oGZP~d6DPygP|MB7r^(JU;AP{~YV&CO&dbQi&B|a9ZzyIU!p0oR z!o|ZIl$xU8kyxUm;F*`KXQ*f(4-#kQk${RT1g9pK7NsgU<>!|uI6Eqs8Y&qmz)j<1 z6ca8^O-{^7Eh=#+N=?Z~EYVBO&oz(}=QT1gFf*_;G%zqQGL91GHMTG?G_-(n4bpHr zK*K-{;sAMU4hYUn&&$k9S1>g&BFY_2j7rFUXJlnyZerwTFlb`rVrpV!WVlw+5~fxp zlC4%={*?v=&XRBAh?w3|ekJhoz zKe*}Ss+-Dp3y#N}_#^e|W8doa9aT(wxO?y2p89Cbu3Q!=zP!k}$2XsU9VoV!m$7=u zaXE&jl}!J>*zj`9usQhLT4_#)+wqRaoS&{Uz0p%LI=p$>w%yj@jOK-#m#OZnogtKa zXx0-|7pa7a%Pt;nc|B=yqk7|#ij=DjlCF{bKHcw(tDZ=IoA@v;?(+N1K5vh6$0wbX zowLen&AF!%E3#rkR^7F4a=E#$KV5;`11Av2kd# zF|x9 z$k^rSH+lBn4DN|8WwYk@BgYLeT>|5Vkzw{NgZMQ5DIkiD~`h}y9{<=D~#ILx2 z!|e$CoGxy;)T!q_Y)P}vi)7| puC*wrU@|^yJWH`pNJ3}E-0bhMGuf{5G|c)nwXm(hxVvuYUH~CAajXCU diff --git a/redhatsecurebootca5.cer b/redhatsecurebootca5.cer deleted file mode 100644 index dfb0284954861282d1a0ce16c8c5cdc71c27659f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 920 zcmXqLVxD5q#8k6@nTe5!iIbtZm{+@~;bN2lFB_*;n@8JsUPeZ4RtAH3LoovpHs(+k zE*{>X)D#7e#1b6^&%9(kLq!95kT^4s1XNrhI5oMnC{@8JKfgr5*-^pNP{}|6ZW6NxP$#b?ru1p1aqn$3D)YB{Qqo zjCvjz?|=HkE#3AN-xTZpws*U~)f@DZ{t~uwMZy8<;F%jD%$u6!n#qYzp^Sryh{C;x9qf@!N=T4ui@b#({ zSD&^p3kNZ=9lAQ9%xdfP9doNToV+k2^LHOFD{5oE&78StJa^8n7$i2k94PWc<&xr*# z`sciS&XK#@>h!OC8{=mczNLHbADCJ+pE=-CsaDOF#s}?5Q)1qq&%R~#cz>QmiAiVx zk5XXYstAL9d+iK-w@u$FESybMIPOFY~9lmn~9nUf%vMc88@((p0B(#qL+!COmt7`j5IhPVzo{cRPw} Pd!}BnFF!b8N6JS4>O*3Z diff --git a/sbat.centos.csv b/sbat.centos.csv new file mode 100644 index 0000000..23fbdf3 --- /dev/null +++ b/sbat.centos.csv @@ -0,0 +1 @@ +shim.centos,3,The CentOS Project,shim,15.8,security@centos.org diff --git a/sbat.redhat.csv b/sbat.redhat.csv deleted file mode 100644 index 2135543..0000000 --- a/sbat.redhat.csv +++ /dev/null @@ -1 +0,0 @@ -shim.redhat,1,Red Hat Inc,shim,15.5,secalert@redhat.com diff --git a/shim-unsigned-x64.spec b/shim-unsigned-x64.spec index 6064d69..da20eb7 100644 --- a/shim-unsigned-x64.spec +++ b/shim-unsigned-x64.spec @@ -19,18 +19,17 @@ %global dbxfile %{nil} Name: shim-unsigned-%{efiarch} -Version: 15.6 -Release: 1.el9 +Version: 15.8 +Release: 1.el9.centos Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 License: BSD URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 -Source1: redhatsecurebootca5.cer %if 0%{?dbxfile} Source2: %{dbxfile} %endif -Source3: sbat.redhat.csv +Source3: sbat.centos.csv Source4: shim.patches Source100: shim-find-debuginfo.sh @@ -42,6 +41,7 @@ BuildRequires: elfutils-libelf-devel BuildRequires: git openssl-devel openssl BuildRequires: pesign >= %{pesign_vre} BuildRequires: dos2unix findutils +BuildRequires: system-sb-certs # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not # compatible with SysV (there's no red zone under UEFI) and there isn't a @@ -107,9 +107,10 @@ COMMITID=$(cat commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_SHIM_HASH=true " +MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " MAKEFLAGS+="%{_smp_mflags}" -if [ -f "%{SOURCE1}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" +if [ -f "/etc/pki/sb-certs/secureboot-ca-x86_64.cer" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=/etc/pki/sb-certs/secureboot-ca-x86_64.cer" fi %if 0%{?dbxfile} if [ -f "%{SOURCE2}" ]; then @@ -128,8 +129,9 @@ COMMITID=$(cat commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_SHIM_HASH=true " -if [ -f "%{SOURCE1}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" +MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " +if [ -f "/etc/pki/sb-certs/secureboot-ca-x86_64.cer" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=/etc/pki/sb-certs/secureboot-ca-x86_64.cer" fi %if 0%{?dbxfile} if [ -f "%{SOURCE2}" ]; then @@ -158,6 +160,10 @@ cd .. %files debugsource -f build-%{efiarch}/debugsource.list %changelog +* Thu Feb 08 2024 Brian Stinson - 15.8-1.el9.centos +- Update to shim-15.8 + Resolves: RHEL-4391 + * Wed Jun 01 2022 Peter Jones - 15.6-1.el9 - Update to shim-15.6 Resolves: CVE-2022-28737 diff --git a/sources b/sources index bcb0302..5428b75 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (shim-15.6.tar.bz2) = ddc5d5234851d05ed7124ad748ad3fee2df8a335493948a045653322c873f3f055d34894aeb2ac7495086984ca62183907d341e46e6bdf108856e39c646455fc +SHA512 (shim-15.8.tar.bz2) = 30b3390ae935121ea6fe728d8f59d37ded7b918ad81bea06e213464298b4bdabbca881b30817965bd397facc596db1ad0b8462a84c87896ce6c1204b19371cd1