From dcebb53574b7f0b2c7db1882e2336980507861bd Mon Sep 17 00:00:00 2001 From: Brian Stinson Date: Sun, 11 Feb 2024 15:46:09 -0600 Subject: [PATCH] Update to shim 15.8 in CentOS Stream 8 Resolves: RHEL-4391 Signed-off-by: Brian Stinson --- .gitignore | 8 ++ README.md | 3 + sbat.centos.csv | 1 + secureboot-ca-x86_64.cer | Bin 0 -> 870 bytes shim-find-debuginfo.sh | 90 ++++++++++++++ shim-unsigned-x64.spec | 260 +++++++++++++++++++++++++++++++++++++++ shim.patches | 0 sources | 1 + 8 files changed, 363 insertions(+) create mode 100644 .gitignore create mode 100644 README.md create mode 100644 sbat.centos.csv create mode 100644 secureboot-ca-x86_64.cer create mode 100755 shim-find-debuginfo.sh create mode 100644 shim-unsigned-x64.spec create mode 100644 shim.patches create mode 100644 sources diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b908d57 --- /dev/null +++ b/.gitignore @@ -0,0 +1,8 @@ +*~ +*.tar.* +*.rpm +.build*.log +.*.sw? +clog +rhtest.cer +shim-*/ diff --git a/README.md b/README.md new file mode 100644 index 0000000..6a035ab --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# shim-unsigned-x64 + +The shim-unsigned-x64 package diff --git a/sbat.centos.csv b/sbat.centos.csv new file mode 100644 index 0000000..23fbdf3 --- /dev/null +++ b/sbat.centos.csv @@ -0,0 +1 @@ +shim.centos,3,The CentOS Project,shim,15.8,security@centos.org diff --git a/secureboot-ca-x86_64.cer b/secureboot-ca-x86_64.cer new file mode 100644 index 0000000000000000000000000000000000000000..42bdfcfbcda649796099fdc87bbe9dc58e2348d5 GIT binary patch literal 870 zcmXqLVoow>V)9zR%*4pV#L3VZSoN;M+UU0dFB_*;n@8JsUPeZ4Rt5t%Lj?mlHs(+k zW*%|p)Vvb^V1?k+zWand9m0rCz?btasy17qhCd~{zWSac7_phd5=E4lAo4tExT(TE@+xh11 zL5)4kX7}9{H-;C9i_BQIp!>|pw1_)NO3`N}XwL +# +# Distributed under terms of the GPLv3 license. +# +set -e +set -u + +mainarch=$1 && shift +if [ $# == 1 ]; then + altarch=$1 && shift +fi +if ! [ -v RPM_BUILD_ROOT ]; then + echo "RPM_BUILD_ROOT must be set" 1>&2 + exit 1 +fi + +findsource() +{ + ( + cd ${RPM_BUILD_ROOT} + find usr/src/debug/ -type d | sed "s,^,%dir /," + find usr/src/debug/ -type f | sed "s,^,/," + ) +} + +finddebug() +{ + arch=$1 && shift + declare -a dirs=() + declare -a files=() + declare -a excludes=() + + pushd ${RPM_BUILD_ROOT} >/dev/null 2>&1 + for x in $(find usr/lib/debug/ -type f -iname *.efi.debug); do + if ! [ -e "${x}" ]; then + break + fi + if [[ ${x} =~ ${arch}\.efi\.debug$ ]]; then + files[${#files[@]}]=${x} + else + excludes[${#excludes[@]}]=${x} + fi + done + for x in usr/lib/debug/.build-id/*/*.debug ; do + if ! [ -e "${x}" ]; then + break + fi + link=$(readlink "${x}") + if [[ ${link} =~ ${arch}\.efi\.debug$ ]]; then + files[${#files[@]}]=${x} + files[${#files[@]}]=${x%%.debug} + else + excludes[${#excludes[@]}]=${x} + excludes[${#excludes[@]}]=${x%%.debug} + fi + done + for x in ${files[@]} ; do + declare name=$(dirname /${x}) + while [ "${name}" != "/" ]; do + case "${name}" in + "/usr/lib/debug"|"/usr/lib"|"/usr") + ;; + *) + dirs[${#dirs[@]}]=${name} + ;; + esac + name=$(dirname ${name}) + done + done + + popd >/dev/null 2>&1 + for x in ${dirs[@]} ; do + echo "%dir ${x}" + done | sort | uniq + for x in ${files[@]} ; do + echo "/${x}" + done | sort | uniq + for x in ${excludes[@]} ; do + echo "%exclude /${x}" + done +} + +findsource > build-${mainarch}/debugsource.list +finddebug ${mainarch} > build-${mainarch}/debugfiles.list +if [ -v altarch ]; then + finddebug ${altarch} > build-${altarch}/debugfiles.list +fi diff --git a/shim-unsigned-x64.spec b/shim-unsigned-x64.spec new file mode 100644 index 0000000..62b39fd --- /dev/null +++ b/shim-unsigned-x64.spec @@ -0,0 +1,260 @@ +%global pesign_vre 0.106-1 +%global gnuefi_vre 1:3.0.5-6 +%global openssl_vre 1.0.2j + +%global debug_package %{nil} +%global __debug_package 1 +%global _binaries_in_noarch_packages_terminate_build 0 +%global __debug_install_post %{SOURCE100} x64 ia32 +%undefine _debuginfo_subpackages + +%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/')) +%global shimrootdir %{_datadir}/shim/ +%global shimversiondir %{shimrootdir}/%{version}-%{release} +%global efiarch x64 +%global shimdir %{shimversiondir}/%{efiarch} +%global efialtarch ia32 +%global shimaltdir %{shimversiondir}/%{efialtarch} + +# currently here's what's in our dbx: nothing +%global dbxfile %{nil} +Name: shim-unsigned-%{efiarch} +Version: 15.8 +Release: 1.el8.centos +Summary: First-stage UEFI bootloader +ExclusiveArch: x86_64 +License: BSD +URL: https://github.com/rhboot/shim +Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 +Source1: secureboot-ca-x86_64.cer +%if 0%{?dbxfile} +Source2: %{dbxfile} +%endif +Source3: sbat.centos.csv +Source4: shim.patches + +Source100: shim-find-debuginfo.sh + +%include %{SOURCE4} + +BuildRequires: gcc make +BuildRequires: elfutils-libelf-devel +BuildRequires: git openssl-devel openssl +BuildRequires: pesign >= %{pesign_vre} +BuildRequires: dos2unix findutils + +# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not +# compatible with SysV (there's no red zone under UEFI) and there isn't a +# POSIX-style C library. +# BuildRequires: OpenSSL +Provides: bundled(openssl) = %{openssl_vre} + +%global desc \ +Initial UEFI bootloader that handles chaining to a trusted full \ +bootloader under secure boot environments. +%global debug_desc \ +This package provides debug information for package %{expand:%%{name}} \ +Debug information is useful when developing applications that \ +use this package or when debugging this package. + +%description +%desc + +%package -n shim-unsigned-%{efialtarch} +Summary: First-stage UEFI bootloader (unsigned data) +Provides: bundled(openssl) = %{openssl_vre} + +%description -n shim-unsigned-%{efialtarch} +%desc + +%package debuginfo +Summary: Debug information for shim-unsigned-%{efiarch} +Requires: %{name}-debugsource = %{version}-%{release} +Group: Development/Debug +AutoReqProv: 0 +BuildArch: noarch + +%description debuginfo +%debug_desc + +%package -n shim-unsigned-%{efialtarch}-debuginfo +Summary: Debug information for shim-unsigned-%{efialtarch} +Group: Development/Debug +Requires: %{name}-debugsource = %{version}-%{release} +AutoReqProv: 0 +BuildArch: noarch + +%description -n shim-unsigned-%{efialtarch}-debuginfo +%debug_desc + +%package debugsource +Summary: Debug Source for shim-unsigned +Group: Development/Debug +AutoReqProv: 0 +BuildArch: noarch + +%description debugsource +%debug_desc + +%prep +%autosetup -S git_am -n shim-%{version} +git config --unset user.email +git config --unset user.name +mkdir build-%{efiarch} +mkdir build-%{efialtarch} +cp %{SOURCE3} data/ + +%build +COMMITID=$(cat commit) +MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " +MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " +MAKEFLAGS+="ENABLE_SHIM_HASH=true " +MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " +MAKEFLAGS+="%{_smp_mflags}" +if [ -f "%{SOURCE1}" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" +fi +%if 0%{?dbxfile} +if [ -f "%{SOURCE2}" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" +fi +%endif + +cd build-%{efiarch} +make ${MAKEFLAGS} \ + DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \ + all +cd .. + +cd build-%{efialtarch} +setarch linux32 -B make ${MAKEFLAGS} ARCH=%{efialtarch} \ + DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \ + all +cd .. + +%install +COMMITID=$(cat commit) +MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " +MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " +MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " +MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " +if [ -f "%{SOURCE1}" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" +fi +%if 0%{?dbxfile} +if [ -f "%{SOURCE2}" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" +fi +%endif + +cd build-%{efiarch} +make ${MAKEFLAGS} \ + DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \ + DESTDIR=${RPM_BUILD_ROOT} \ + install-as-data install-debuginfo install-debugsource +cd .. + +cd build-%{efialtarch} +setarch linux32 make ${MAKEFLAGS} ARCH=%{efialtarch} \ + DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \ + DESTDIR=${RPM_BUILD_ROOT} \ + install-as-data install-debuginfo install-debugsource +cd .. + +%files +%license COPYRIGHT +%dir %{shimrootdir} +%dir %{shimversiondir} +%dir %{shimdir} +%{shimdir}/*.CSV +%{shimdir}/*.efi +%{shimdir}/*.hash + +%files -n shim-unsigned-%{efialtarch} +%license COPYRIGHT +%dir %{shimrootdir} +%dir %{shimversiondir} +%dir %{shimaltdir} +%{shimaltdir}/*.CSV +%{shimaltdir}/*.efi +%{shimaltdir}/*.hash + +%files debuginfo -f build-%{efiarch}/debugfiles.list + +%files -n shim-unsigned-%{efialtarch}-debuginfo -f build-%{efialtarch}/debugfiles.list + +%files debugsource -f build-%{efiarch}/debugsource.list + +%changelog +* Thu Feb 08 2024 Brian Stinson - 15.8-1.el8.centos +- Update to shim-15.8 + Resolves: RHEL-4391 + +* Wed Jun 01 2022 Peter Jones - 15.6-1.el8 +- Update to shim-15.6 + Resolves: CVE-2022-28737 + +* Thu Sep 17 2020 Peter Jones - 15-9.el8 +- Fix an incorrect allocation size. + Related: rhbz#1877253 + +* Thu Jul 30 2020 Peter Jones - 15-8 +- Fix a load-address-dependent forever loop. + Resolves: rhbz#1861977 + Related: CVE-2020-10713 + Related: CVE-2020-14308 + Related: CVE-2020-14309 + Related: CVE-2020-14310 + Related: CVE-2020-14311 + Related: CVE-2020-15705 + Related: CVE-2020-15706 + Related: CVE-2020-15707 + +* Sat Jul 25 2020 Peter Jones - 15-7 +- Implement Lenny's workaround + Related: CVE-2020-10713 + Related: CVE-2020-14308 + Related: CVE-2020-14309 + Related: CVE-2020-14310 + Related: CVE-2020-14311 + +* Fri Jul 24 2020 Peter Jones - 15-5 +- Once more with the MokListRT config table patch added. + Related: CVE-2020-10713 + Related: CVE-2020-14308 + Related: CVE-2020-14309 + Related: CVE-2020-14310 + Related: CVE-2020-14311 + +* Thu Jul 23 2020 Peter Jones - 15-4 +- Rebuild for bug fixes and new signing keys + Related: CVE-2020-10713 + Related: CVE-2020-14308 + Related: CVE-2020-14309 + Related: CVE-2020-14310 + Related: CVE-2020-14311 + +* Wed Jun 05 2019 Javier Martinez Canillas - 15-3 +- Make EFI variable copying fatal only on secureboot enabled systems + Resolves: rhbz#1715878 +- Fix booting shim from an EFI shell using a relative path + Resolves: rhbz#1717064 + +* Tue Feb 12 2019 Peter Jones - 15-2 +- Fix MoK mirroring issue which breaks kdump without intervention + Related: rhbz#1668966 + +* Fri Jul 20 2018 Peter Jones - 15-1 +- Update to shim 15 + +* Tue Sep 19 2017 Peter Jones - 13-3 +- Actually update to the *real* 13 final. + Related: rhbz#1489604 + +* Thu Aug 31 2017 Peter Jones - 13-2 +- Actually update to 13 final. + +* Fri Aug 18 2017 Peter Jones - 13-1 +- Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one. +- This will (eventually) supersede what's in the "shim" package so we can + make "shim" hold the signed one, which will confuse fewer people. diff --git a/shim.patches b/shim.patches new file mode 100644 index 0000000..e69de29 diff --git a/sources b/sources new file mode 100644 index 0000000..5428b75 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (shim-15.8.tar.bz2) = 30b3390ae935121ea6fe728d8f59d37ded7b918ad81bea06e213464298b4bdabbca881b30817965bd397facc596db1ad0b8462a84c87896ce6c1204b19371cd1