From e285a368919b886c163faebc06115f3864fbd9cd Mon Sep 17 00:00:00 2001 From: eabdullin Date: Fri, 10 May 2024 16:15:25 +0300 Subject: [PATCH] Update to 15.8 --- .gitignore | 2 +- .shim-unsigned-x64.metadata | 2 +- SOURCES/almalinux-sb-cert-1.der | Bin 0 -> 1787 bytes SOURCES/almalinux-sb-cert-2.der | Bin 0 -> 1792 bytes SOURCES/almalinux-sb-cert-3.der | Bin 0 -> 970 bytes SOURCES/clsecureboot001.cer | Bin 1561 -> 0 bytes SOURCES/dbx.esl | 0 SOURCES/sbat.almalinux.csv | 1 + SOURCES/sbat.cloudlinux.csv | 1 - SOURCES/shim-find-debuginfo.sh | 33 ++++++-------- SPECS/shim-unsigned-x64.spec | 75 ++++++++++++++++++++------------ 11 files changed, 63 insertions(+), 51 deletions(-) create mode 100644 SOURCES/almalinux-sb-cert-1.der create mode 100644 SOURCES/almalinux-sb-cert-2.der create mode 100644 SOURCES/almalinux-sb-cert-3.der delete mode 100644 SOURCES/clsecureboot001.cer create mode 100644 SOURCES/dbx.esl create mode 100644 SOURCES/sbat.almalinux.csv delete mode 100644 SOURCES/sbat.cloudlinux.csv diff --git a/.gitignore b/.gitignore index 6b84d7a..668482d 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/shim-15.6.tar.bz2 +SOURCES/shim-15.8.tar.bz2 diff --git a/.shim-unsigned-x64.metadata b/.shim-unsigned-x64.metadata index b5fa713..89e9ccb 100644 --- a/.shim-unsigned-x64.metadata +++ b/.shim-unsigned-x64.metadata @@ -1 +1 @@ -3df0ab5cefc74fdf865cb36aea0e923cb4b6b3ed SOURCES/shim-15.6.tar.bz2 +cdec924ca437a4509dcb178396996ddf92c11183 SOURCES/shim-15.8.tar.bz2 diff --git a/SOURCES/almalinux-sb-cert-1.der b/SOURCES/almalinux-sb-cert-1.der new file mode 100644 index 0000000000000000000000000000000000000000..6a4e99b9ed921c4af3db55a619260f1ab76110dc GIT binary patch literal 1787 zcmb7Edpy%?9NzEu+YQ4qp+X~z$hNhS)Qi`TME^-dksg&-Xq2Cz{bpoK?*v3Lr+#1l0EMjD_^(GTMD zB!UPL)n5=TknqD$I+(55K`6BGoxr#aQ34*7AqwMDg9H&mfiQx~@Sw6ns4M2o1LnrM zj*bAGgM!g7R1KZf5ID|pa&dAA1xdG2GSJgV;wS_sr+Fwqoly#ygx9gdLs&@Wya0v} z3LG4SP65Uf7hwvK$&cd3bH#kr3{2A~=u->>#eywd37;Auj^GLf30#RlB%EMPEi-l+ zkwox{5{U(2T$BpTN6nIqJ))wy{sLj#R%$>H)k_p74EruH#z6j)0c5b{#3zMt7(@o^ zW7O-~undMU6>I1J?%P(;)EDTd~@7#vAD%qZ-ufkhh?j~ zapii8FZ6l4l2j4>$6Kvd%=FCfQ#Hi8bqZPzauDLVg0k(jF6nNqtfiz|Wxur8bX2ad zdVcV5sacnCY_nO@_S&kodX}Gu=_h9qjw-&C&Q?YW8|~hwL@-lYMZxo*mT|n_rq!Dq zNO?Kr*Z&ajuCl*+CptA}bH}3+sZUn7lNIOqU@O10Y8v~wWKcZqMh{nDsrrHAqC?Fn zC5Od?^TaPN9vZwE>ENKiT9WIkzve%`+%Pg-+wtWhW?EoI?ykMo1m;;krtqoqrdY(Z z>AG~nTPIVAdtr9e$os^OcI}Pat4B7uw#bZr_Ev0CoO20G4yS!W8C%*eNtWAYpL#d* zedparl{a8zs7XrL79O+)cgO3rRq(Xe?bv+=_YavC&C0sI{5@^Isw>gKnC3h)7Af**$k{YWr>DKj@ce|HuYY$w-4X7busAnE?sO0 z%rpc&tP$2Q5p}pRNtx`QBY$$Hy}hi^EzC7xG%sfQ5Hy0tA}}ElkTi6P2EzaYC>lh= zl7Kdzs16YhM?esDptRPfdPAw7JRwLkg(U+Y4UdZT1n$5IPa2Kec@%;nJOpT9#`r7@ z85u`PBr&nB4i2&3%Ye=kMLRG8g8%`Ki%23t2=LQLO~*2UT1>u3z97|AGoqg0iKFNf zr^ZU-duM1WW2`Y49;^^`UC`BhARRwieNz#L243SBz!P*O|5I1;uO$Gbj#^URPsEFj znJ5J48Yh#m)_^Ae=Lv|2+!#zIQG$c)nJj+~w#N#V{a95^486KX5gC+(`LS(LuYLx& zmK=g#7W3C{btC1qgXHu|&hAt1mVpg9@qz7)LQjirTbE=%tB>VaJ{w|W+SRlqtM=qq z`BZ#(0JZP>i7X28yp;YFwn*+V^|hB(LiOc)PaARBXXK%~jS_tFjUyY$QX;*+r0V45 zkE=pT=tBm1C+#j}43w`s`%TdlzpX-LE<>U=F6|4*<{yn&V-xIkW##-D?u9_i{=os1 zQ~fq=HHqcUdPH1KbNZa$#kq3WF+jPXnVa;%`a)vjg(LknHdCYpovzocJ`VZSGQKX% z9VuvTNmoc+L-8N(4b3q2QAF;sQhj@I*nzv-=TicK8=0_FUZQQx>WuhjaYMX_P|t&zHv TseG#v;Fg#3=RT@0&At3@_pP4Z literal 0 HcmV?d00001 diff --git a/SOURCES/almalinux-sb-cert-2.der b/SOURCES/almalinux-sb-cert-2.der new file mode 100644 index 0000000000000000000000000000000000000000..fad6c2c357de17fd29136a8d35fe9f379c257fed GIT binary patch literal 1792 zcma)6do)yA9Cpr}dBn`1na~4A=_SJ+8q%tmJ9%A?Fp@{f$jH=~na<1@D#a*Lx0Ie& z(u8#Bsf9`@R#c4Ctu86zsAg_wDuj&iC8D{cWHo4FEOr zL_>ff7&eMjgTTG)n1gR`F0qv5l@9(~4j3E&gBP0gAn9rsI zst!=7#9(2fK+ZM-bR8yB$zD>WTp^XPje((#(Wg@Qd|#9&#bj(}z|m0zsvS<*t&ql} z?jiU}j1c9ER!T&Ym8iEwA;jW^F(QFNi1N5-5FdXXfrTl}!2z)G$7Qwy+aVl>9KdF~ zj6jgu`fqn5ZYWf;hggbKM4D~=cViX_TJbP*r* zkSZlH0)+@~Vnm3@AagiQY`}INtszkVv&I}u)TtU$nE{w6LD$G4Y^6XVT01N`9+;90 zW|1HSQajJXx1LH_C=?4+0!;YL(-A)5Fl>g%_Afg^Y4Q1)!{8m^ErRp8{F!PY_ zks^_806cbaCBJoW&2z54tZw>V*)cSi6}tIl?+drYFiO90o zpKVv+=_QQd1Z8$4V%F7SouxwOy$eblxU*rXDN4!7o;1xSf3{`IHK&NL-eZ^2$3_PJ zuF86L*Sy-9SJHIN@R)bR(xT9Tf+Jq^`YGH4ei52fq@y?VLUuKU6sti}_clZaDmoB> zeHnGnox>98?fE`;2CepIW_yOk>^W`b=mV{;ZQtF!sp>DGRb6wmP0vjuD@TU4ki^|o zTcdI*a*OhB*Tz+sNAJ85UUfEE|JACq#|6Ck(hGhx|8Z$nDX$xSs?MmdSrmC>w1;%H z2CdDS-}hVXtRo$T5@`JXxD1#8=|Kf*=pa6k{lF3*z4;Wx449-aovOTt*tRcEuX6kP zYqiO%$^ozTm$77+*_Ku204-oO*MYj_&&Kb>OY@814@rlEpT3Bo+=%;>+A zH#kSRk#=B^=BT_oAxiu0GBP)Wpdkbyz~q!41B72@1T_rlIbN-ccoMIFp{jLZ(zy>N zZm6?<7Pfd8_pIHu@#Lg@?dmM|bpIB9XI9&` zsz<)G=l!RazsVB~z4gPr7DE%YjCbYebKcRy@Bl@NME z(OXk^Ub{0e*(_}RAgQq9{mX=Kf9nUX*;|?h-j*Dy>AkpbhizGTEQ=b@S32!oV&Rfo zZh8^Uw~A)OX|+PDi>&iM& zY5xbGgvpG^E2#xu&l=PAor>*q^0z2AFmUYgFaGp#A2IhBef`#Po`QR-+WOAi+AVGu zBcu9VD0chcgTFZN^PJB0GgC@w!7g=etyO70If0-17oh#os|r4NqGH#&vWYx08=eu? rEwa`2rNz466W0@)sn4cnJW7tq>sVCAXk?<;GR}k5S%ptY8!G+=Up%A8 literal 0 HcmV?d00001 diff --git a/SOURCES/almalinux-sb-cert-3.der b/SOURCES/almalinux-sb-cert-3.der new file mode 100644 index 0000000000000000000000000000000000000000..d086cd53c500ca15c889ff2b32c5b6167e162cb5 GIT binary patch literal 970 zcmXqLVm@Zj#I$Y!GZP~dlOV(4Zs(9&d=69Em3g11sAkV^L6cZ~>O)f3UEU9!z%*jp6$;>OQ(917MH&if?V`C0w;Sv^i1d98B#1;I5 z72NVm^HLH^GV}8c6%FJ;Dwu^O5GsN}hNUVv<>!|uI6E51iSrtn7#JIx7#Nxw8X8B5 z^BN;_>Fk;&MkVCnU}R-rZerwTFlb`rVrpV!WY}_t7Ne;@l2>AiQadDHC2MrTVB zO(Lpfw^>Si%esGJa$bBkT4%~@SA&z4SLRpsX_nubYp1hTKIzu}WsAQ2p~ zvdSzH24W2&2m4H!6-7=Rf*=N89jCompM#ldvEWm`W}#J zxk}xi#o5);HktIgnC#)1`JOlE+oS{&KE=3)&u#8$74Y|m%cOL+Z;IVzN<(T-->Cg@tAgaZeR7U zoO6kLraH9v^FEAbn0rzC{=8|?{>9&=0(}ZDUbr5qpi+Ngkv!MxEhXG;4@Gr@<_V~8 hz1^Yl@Bi1C6W7#=r%k@Xm3H;jpD6o4&JuOO^8kV}d_DjG literal 0 HcmV?d00001 diff --git a/SOURCES/clsecureboot001.cer b/SOURCES/clsecureboot001.cer deleted file mode 100644 index ca9ce5d92a13320a2995ed90f173ea719a132d8f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1561 zcmZ`(Yfuwc6wXbS1jzzo5X>OBh=_zHxtj+9!bnI+p+=zweAJF{O%_-i65K3=V6`P` zg!+Oiw$+NM3{cvRbwp7M9c2G4W9CPDY!P9nY%kz?r;WtSRH=h8 zU|e*l3WsV{DvoP4TGbnDs9{5GAcS5Z!6h(4C{7Uq1bAm>@_|6YFE-;+7(G78M}rNd zop2L0iATV2PECX)*l5Dk>U3O<$HA#wY63bL*TU2^EXQ6+VmX8d(^It7PU5jJhO385 zA`5A%ieN~rfG#CiV@9QqDqzb&l8`jD9Hy((P@^7aCo5+n4C4+6Mny(D>xqpR~zVhEx6umhZ5RVFal3r5M(h>Ej0sf_MTi2%d}hSB1Z;Kcx_Vo?>QeGcGz_P@TPE#k$jU}t{ z=C4WMHPazOp*1PT3fm+ruI6lS_~q`^8L{y-bu+Gf%@__g=3FU^|HN|Z8E=KQmHrw0 zI*CrQY%Us>cb>W=8$P+bYgw+q?~#eYnR*Y9;aJhXnxTwk!v=F7YKwQfz8bV zV01@f!?{5q0>0>7n9VhhK+@rCzjllgEbu48Bs8(uEH~tubc=NhbLDzdL9qcd0ymIeCpOTfNz>=FRp+_ZMjPwTEfKR;4GdG@D`O}rr^ zO(!d6#<-~YhKw(p3S9X|dM{X}bRc;161eWzPCUA!^tNx{O73;zPg)%xE6 diff --git a/SOURCES/dbx.esl b/SOURCES/dbx.esl new file mode 100644 index 0000000..e69de29 diff --git a/SOURCES/sbat.almalinux.csv b/SOURCES/sbat.almalinux.csv new file mode 100644 index 0000000..f2496f1 --- /dev/null +++ b/SOURCES/sbat.almalinux.csv @@ -0,0 +1 @@ +shim.almalinux,3,AlmaLinux,shim,15.8,security@almalinux.org diff --git a/SOURCES/sbat.cloudlinux.csv b/SOURCES/sbat.cloudlinux.csv deleted file mode 100644 index 606757e..0000000 --- a/SOURCES/sbat.cloudlinux.csv +++ /dev/null @@ -1 +0,0 @@ -shim.cloudlinux,2,CloudLinux,shim,15.6,security@cloudlinux.com diff --git a/SOURCES/shim-find-debuginfo.sh b/SOURCES/shim-find-debuginfo.sh index d656fc9..7e882ff 100755 --- a/SOURCES/shim-find-debuginfo.sh +++ b/SOURCES/shim-find-debuginfo.sh @@ -20,9 +20,9 @@ fi findsource() { ( - cd "${RPM_BUILD_ROOT}" - find usr/src/debug/ -type d | sed -e "s,^,%dir /," | sort -u | tac - find usr/src/debug/ -type f | sed -e "s,^,/," | sort -u | tac + cd ${RPM_BUILD_ROOT} + find usr/src/debug/ -type d | sed "s,^,%dir /," + find usr/src/debug/ -type f | sed "s,^,/," ) } @@ -32,12 +32,9 @@ finddebug() declare -a dirs=() declare -a files=() declare -a excludes=() - declare -a tmp=() - pushd "${RPM_BUILD_ROOT}" >/dev/null 2>&1 - - mapfile -t tmp < <(find usr/lib/debug/ -type f -iname "*.efi.debug") - for x in "${tmp[@]}" ; do + pushd ${RPM_BUILD_ROOT} >/dev/null 2>&1 + for x in $(find usr/lib/debug/ -type f -iname *.efi.debug); do if ! [ -e "${x}" ]; then break fi @@ -60,10 +57,8 @@ finddebug() excludes[${#excludes[@]}]=${x%%.debug} fi done - for x in "${files[@]}" ; do - declare name - - name=$(dirname "/${x}") + for x in ${files[@]} ; do + declare name=$(dirname /${x}) while [ "${name}" != "/" ]; do case "${name}" in "/usr/lib/debug"|"/usr/lib"|"/usr") @@ -72,24 +67,24 @@ finddebug() dirs[${#dirs[@]}]=${name} ;; esac - name=$(dirname "${name}") + name=$(dirname ${name}) done done popd >/dev/null 2>&1 - for x in "${dirs[@]}" ; do + for x in ${dirs[@]} ; do echo "%dir ${x}" done | sort | uniq - for x in "${files[@]}" ; do + for x in ${files[@]} ; do echo "/${x}" done | sort | uniq - for x in "${excludes[@]}" ; do + for x in ${excludes[@]} ; do echo "%exclude /${x}" done } -findsource > "build-${mainarch}/debugsource.list" -finddebug "${mainarch}" > "build-${mainarch}/debugfiles.list" +findsource > build-${mainarch}/debugsource.list +finddebug ${mainarch} > build-${mainarch}/debugfiles.list if [ -v altarch ]; then - finddebug "${altarch}" > "build-${altarch}/debugfiles.list" + finddebug ${altarch} > build-${altarch}/debugfiles.list fi diff --git a/SPECS/shim-unsigned-x64.spec b/SPECS/shim-unsigned-x64.spec index feb75a3..863475d 100644 --- a/SPECS/shim-unsigned-x64.spec +++ b/SPECS/shim-unsigned-x64.spec @@ -15,26 +15,26 @@ %global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch} %undefine _debuginfo_subpackages -# currently here's what's in our dbx: nothing -%global dbxfile %{nil} - Name: shim-unsigned-%{efiarch} -Version: 15.6 -Release: 1.el9.alma +Version: 15.8 +Release: 2.el9.alma.1 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 License: BSD URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 -Source1: clsecureboot001.cer -%if 0%{?dbxfile} -Source2: %{dbxfile} -%endif -Source3: sbat.cloudlinux.csv +# currently here's what's in our dbx: +# nothing. +Source2: dbx.esl +Source3: sbat.almalinux.csv Source4: shim.patches Source100: shim-find-debuginfo.sh +Source101: almalinux-sb-cert-1.der +Source102: almalinux-sb-cert-2.der +Source103: almalinux-sb-cert-3.der + %include %{SOURCE4} BuildRequires: gcc make @@ -103,19 +103,27 @@ mkdir build-%{efialtarch} cp %{SOURCE3} data/ %build -COMMITID=$(cat commit) -MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " +# Prepare vendor_db.esl file +openssl x509 -inform DER -in %{SOURCE101} -out 01.pem +openssl x509 -inform DER -in %{SOURCE102} -out 02.pem +openssl x509 -inform DER -in %{SOURCE103} -out 03.pem +cert-to-efi-sig-list -g 9DD8A2AC-0977-4AEF-99A0-E794FD2A31FE 01.pem 01.esl +cert-to-efi-sig-list -g 33D81FE3-5EC0-44F8-AB02-C9DA554F63D8 02.pem 02.esl +cert-to-efi-sig-list -g 50413300-1AC7-49DA-B755-BB0D93E634B6 03.pem 03.esl +cat 01.esl 02.esl 03.esl > vendor_db.esl + +COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6 +MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_SHIM_HASH=true " +MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " MAKEFLAGS+="%{_smp_mflags}" -if [ -f "%{SOURCE1}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" +if [ -s vendor_db.esl ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl" fi -%if 0%{?dbxfile} -if [ -f "%{SOURCE2}" ]; then +if [ -s "%{SOURCE2}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" fi -%endif cd build-%{efiarch} make ${MAKEFLAGS} \ @@ -124,18 +132,17 @@ make ${MAKEFLAGS} \ cd .. %install -COMMITID=$(cat commit) -MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " +COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6 +MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_SHIM_HASH=true " -if [ -f "%{SOURCE1}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" +MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " +if [ -s vendor_db.esl ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl" fi -%if 0%{?dbxfile} -if [ -f "%{SOURCE2}" ]; then +if [ -s "%{SOURCE2}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" fi -%endif cd build-%{efiarch} make ${MAKEFLAGS} \ @@ -149,21 +156,31 @@ cd .. %dir %{shimrootdir} %dir %{shimversiondir} %dir %{shimdir} +%{shimdir}/*.CSV %{shimdir}/*.efi %{shimdir}/*.hash -%{shimdir}/*.CSV %files debuginfo -f build-%{efiarch}/debugfiles.list %files debugsource -f build-%{efiarch}/debugsource.list %changelog -* Fri Jun 17 2022 Eduard Abdullin - 15.6-1.el9.alma -- Use CloudLinux vendor cert and SBAT entry +* Tue Mar 26 2024 Eduard Abdullin - 15.8-2.el9.alma.1 +- Update to shim-15.8 + +* Wed Feb 07 2024 Peter Jones - 15.8-2.el9 +- Rebuild to fix the commit ident and MAKEFLAGS + Resolves: RHEL-11262 + +* Tue Jan 23 2024 Peter Jones - 15.8-1.el9 +- Update to shim-15.8 for CVE-2023-40547 + Resolves: RHEL-11262 * Wed Jun 01 2022 Peter Jones - 15.6-1.el9 -- Update to shim-15.6 - Resolves: CVE-2022-28737 +- Update to shim-15.6 for CVE-2022-28737 + +* Tue May 24 2022 Peter Jones - 15.6~rc1-1.el9 +- Update to shim-15.6~rc1 for CVE-2022-28737 * Wed Mar 09 2022 Peter Jones - 15.5-1 - Update to shim-15.5