- Use AlmaLinux cert and SBAT entry

AlmaLinux chages
import shim-unsigned-x64-15.6-1.el9
2023-03-09 10:39:54 +03:00 · 2022-06-17 16:15:44 +03:00 · 2022-06-17 16:01:35 +03:00 · 2022-06-17 16:01:33 +03:00 · 2021-09-15 11:46:22 +00:00
9 changed files with 39 additions and 78 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/shim-15.4.tar.bz2
+SOURCES/shim-15.6.tar.bz2
--- a/.shim-unsigned-x64.metadata
+++ b/.shim-unsigned-x64.metadata
@ -1 +1 @@
-d70485792a300bfa66f551adf7ae766451dfe7c0 SOURCES/shim-15.4.tar.bz2
+3df0ab5cefc74fdf865cb36aea0e923cb4b6b3ed SOURCES/shim-15.6.tar.bz2
--- a/SOURCES/0001-Fix-a-broken-file-header-on-ia32.patch
+++ b/SOURCES/0001-Fix-a-broken-file-header-on-ia32.patch
@ -1,32 +0,0 @@
-From 1bea91ba72165d97c3b453cf769cb4bc5c07207a Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Wed, 31 Mar 2021 14:54:52 -0400
-Subject: [PATCH] Fix a broken file header on ia32
-
-Commit c6281c6a195edee61185 needs to have included a ". = ALIGN(4096)"
-directive before .reloc, but fails to do so.
-
-As a result, binutils, which does not care about the actual binary
-format's constraints in any way, does not enforce the section alignment,
-and it will not load.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
---
- elf_ia32_efi.lds | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/elf_ia32_efi.lds b/elf_ia32_efi.lds
-index 742e0a47a73..497a3a15265 100644
--- a/elf_ia32_efi.lds
-+++ b/elf_ia32_efi.lds
-@@ -15,6 +15,7 @@ SECTIONS
-    *(.gnu.linkonce.t.*)
-    _etext = .;
-   }
-+  . = ALIGN(4096);
-   .reloc :
-   {
-    *(.reloc)
-- 
-2.30.2
-
--- a/SOURCES/redhatsecurebootca5.cer
+++ b/SOURCES/redhatsecurebootca5.cer
--- a/SOURCES/sbat.almalinux.csv
+++ b/SOURCES/sbat.almalinux.csv
@ -0,0 +1 @@
+shim.almalinux,2,AlmaLinux,shim,15.6,security@almalinux.org
--- a/SOURCES/sbat.redhat.csv
+++ b/SOURCES/sbat.redhat.csv
@ -1 +0,0 @@
-shim.redhat,1,Red Hat,shim,15.4-4,secalert@redhat.com
--- a/SOURCES/shim.patches
+++ b/SOURCES/shim.patches
--- a/SOURCES/vendor_db.esl
+++ b/SOURCES/vendor_db.esl
--- a/SPECS/shim-unsigned-x64.spec
+++ b/SPECS/shim-unsigned-x64.spec
@ -1,7 +1,7 @@
 %global pesign_vre 0.106-1
 %global openssl_vre 1.0.2j

-%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
+%global efidir almalinux
 %global shimrootdir %{_datadir}/shim/
 %global shimversiondir %{shimrootdir}/%{version}-%{release}
 %global efiarch x64
@ -19,22 +19,23 @@
 %global dbxfile %{nil}

 Name:		shim-unsigned-%{efiarch}
-Version:	15.4
-Release:	4%{?dist}
+Version:	15.6
+Release:	1.el9.alma.1
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	x86_64
 License:	BSD
 URL:		https://github.com/rhboot/shim
 Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
-Source1:	redhatsecurebootca5.cer
+Source1:	vendor_db.esl
 %if 0%{?dbxfile}
 Source2:	%{dbxfile}
 %endif
-Source3:	sbat.redhat.csv
+Source3:	sbat.almalinux.csv
+Source4:	shim.patches

 Source100:	shim-find-debuginfo.sh

-Patch0001:	0001-Fix-a-broken-file-header-on-ia32.patch
+%include %{SOURCE4}

 BuildRequires:	gcc make
 BuildRequires:	elfutils-libelf-devel
@ -94,7 +95,7 @@ BuildArch:	noarch
 %debug_desc

 %prep
-%autosetup -S git -n shim-%{version}
+%autosetup -S git_am -n shim-%{version}
 git config --unset user.email
 git config --unset user.name
 mkdir build-%{efiarch}
@ -108,7 +109,7 @@ MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_SHIM_HASH=true "
 MAKEFLAGS+="%{_smp_mflags}"
 if [ -f "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=%{SOURCE1}"
 fi
 %if 0%{?dbxfile}
 if [ -f "%{SOURCE2}" ]; then
@ -122,20 +123,13 @@ make ${MAKEFLAGS} \
 	all
 cd ..

-cd build-%{efialtarch}
-setarch linux32 -B make ${MAKEFLAGS} \
-	ARCH=%{efialtarch} \
-	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
-	all
-cd ..
-
 %install
 COMMITID=$(cat commit)
 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_SHIM_HASH=true "
 if [ -f "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=%{SOURCE1}"
 fi
 %if 0%{?dbxfile}
 if [ -f "%{SOURCE2}" ]; then
@ -150,14 +144,6 @@ make ${MAKEFLAGS} \
 	install-as-data install-debuginfo install-debugsource
 cd ..

-cd build-%{efialtarch}
-setarch linux32 make ${MAKEFLAGS} \
-	ARCH=%{efialtarch} \
-	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
-	DESTDIR=${RPM_BUILD_ROOT} \
-	install-as-data install-debuginfo install-debugsource
-cd ..
-
 %files
 %license COPYRIGHT
 %dir %{shimrootdir}
@ -167,22 +153,22 @@ cd ..
 %{shimdir}/*.hash
 %{shimdir}/*.CSV

-%files -n shim-unsigned-%{efialtarch}
-%license COPYRIGHT
-%dir %{shimrootdir}
-%dir %{shimversiondir}
-%dir %{shimaltdir}
-%{shimaltdir}/*.efi
-%{shimaltdir}/*.hash
-%{shimaltdir}/*.CSV
-
 %files debuginfo -f build-%{efiarch}/debugfiles.list

-%files -n shim-unsigned-%{efialtarch}-debuginfo -f build-%{efialtarch}/debugfiles.list
-
 %files debugsource -f build-%{efiarch}/debugsource.list

 %changelog
+* Thu Mar 09 2023 Eduard Abdullin <eabdullin@almalinux.org> - 15.6-1.el9.alma.1
+- Use AlmaLinux vendor cert and SBAT entry
+
+* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el9
+- Update to shim-15.6
+  Resolves: CVE-2022-28737
+
+* Wed Mar 09 2022 Peter Jones <pjones@redhat.com> - 15.5-1
+- Update to shim-15.5
+  Related: rhbz#1932057
+
 * Thu Apr 01 2021 Peter Jones <pjones@redhat.com> - 15.4-4
 - Fix the sbat data to actually match /this/ product.
  Resolves: CVE-2020-14372
@ -251,17 +237,24 @@ cd ..
 - Fix MoK mirroring issue which breaks kdump without intervention
  Related: rhbz#1668966

-* Fri Jul 20 2018 Peter Jones <pjones@redhat.com> - 15-1
+* Thu Apr 05 2018 Peter Jones <pjones@redhat.com> - 15-1
 - Update to shim 15
+- better checking for bad linker output
+- flicker-free console if there's no error output
+- improved http boot support
+- better protocol re-installation
+- dhcp proxy support
+- tpm measurement even when verification is disabled
+- REQUIRE_TPM build flag
+- more reproducable builds
+- measurement of everything verified through shim_verify()
+- coverity and scan-build checker make targets
+- misc cleanups

-* Tue Sep 19 2017 Peter Jones <pjones@redhat.com> - 13-3
- Actually update to the *real* 13 final.
-  Related: rhbz#1489604
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 13-0.2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

-* Thu Aug 31 2017 Peter Jones <pjones@redhat.com> - 13-2
- Actually update to 13 final.
-
-* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-1
+* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-0.1
 - Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one.
 - This will (eventually) supersede what's in the "shim" package so we can
  make "shim" hold the signed one, which will confuse fewer people.
Author	SHA1	Message	Date
eabdullin	59e5bf0158	- Use AlmaLinux cert and SBAT entry	2023-03-09 10:39:54 +03:00
eabdullin	7b7c17dc74	AlmaLinux chages	2022-06-17 16:15:44 +03:00
CentOS Sources	8e51097acc	import shim-unsigned-x64-15.6-1.el9	2022-06-17 16:01:35 +03:00
CentOS Sources	8e678969ab	import shim-unsigned-x64-15.5-1.el9	2022-06-17 16:01:33 +03:00
Andrew Lukoshko	7d184fed57	AlmaLinux changes	2021-09-15 11:46:22 +00:00
				`@ -0,0 +1 @@`
				`shim.almalinux,2,AlmaLinux,shim,15.6,security@almalinux.org`
				`@ -1 +0,0 @@`
				`shim.redhat,1,Red Hat,shim,15.4-4,secalert@redhat.com`