- Use AlmaLinux cert and SBAT entry

AlmaLinux chages
import shim-unsigned-x64-15.6-1.el9
2023-03-09 10:39:54 +03:00 · 2022-06-17 16:15:44 +03:00 · 2022-06-17 16:01:35 +03:00 · 2022-06-17 16:01:33 +03:00 · 2021-09-15 11:46:22 +00:00
9 changed files with 39 additions and 78 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/shim-15.4.tar.bz2
+SOURCES/shim-15.6.tar.bz2
--- a/.shim-unsigned-x64.metadata
+++ b/.shim-unsigned-x64.metadata
@ -1 +1 @@
-d70485792a300bfa66f551adf7ae766451dfe7c0 SOURCES/shim-15.4.tar.bz2
+3df0ab5cefc74fdf865cb36aea0e923cb4b6b3ed SOURCES/shim-15.6.tar.bz2
--- a/SOURCES/0001-Fix-a-broken-file-header-on-ia32.patch
+++ b/SOURCES/0001-Fix-a-broken-file-header-on-ia32.patch
@ -1,32 +0,0 @@
 From 1bea91ba72165d97c3b453cf769cb4bc5c07207a Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 31 Mar 2021 14:54:52 -0400
 Subject: [PATCH] Fix a broken file header on ia32
 Commit c6281c6a195edee61185 needs to have included a ". = ALIGN(4096)"
 directive before .reloc, but fails to do so.
 As a result, binutils, which does not care about the actual binary
 format's constraints in any way, does not enforce the section alignment,
 and it will not load.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 elf_ia32_efi.lds | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/elf_ia32_efi.lds b/elf_ia32_efi.lds
 index 742e0a47a73..497a3a15265 100644
 --- a/elf_ia32_efi.lds
 +++ b/elf_ia32_efi.lds
@@ -15,6 +15,7 @@ SECTIONS
    *(.gnu.linkonce.t.*)
    _etext = .;
   }
 +  . = ALIGN(4096);
   .reloc :
   {
    *(.reloc)
 -- 
 2.30.2
--- a/SOURCES/redhatsecurebootca5.cer
+++ b/SOURCES/redhatsecurebootca5.cer
--- a/SOURCES/sbat.almalinux.csv
+++ b/SOURCES/sbat.almalinux.csv
@ -0,0 +1 @@
 shim.almalinux,2,AlmaLinux,shim,15.6,security@almalinux.org
--- a/SOURCES/sbat.redhat.csv
+++ b/SOURCES/sbat.redhat.csv
@ -1 +0,0 @@
 shim.redhat,1,Red Hat,shim,15.4-4,secalert@redhat.com
--- a/SOURCES/shim.patches
+++ b/SOURCES/shim.patches
--- a/SOURCES/vendor_db.esl
+++ b/SOURCES/vendor_db.esl
--- a/SPECS/shim-unsigned-x64.spec
+++ b/SPECS/shim-unsigned-x64.spec
@ -1,7 +1,7 @@
 %global pesign_vre 0.106-1
 %global openssl_vre 1.0.2j
-%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
+%global efidir almalinux
 %global shimrootdir %{_datadir}/shim/
 %global shimversiondir %{shimrootdir}/%{version}-%{release}
 %global efiarch x64
@ -19,22 +19,23 @@
 %global dbxfile %{nil}
 Name:		shim-unsigned-%{efiarch}
-Version:	15.4
+Version:	15.6
-Release:	4%{?dist}
+Release:	1.el9.alma.1
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	x86_64
 License:	BSD
 URL:		https://github.com/rhboot/shim
 Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
-Source1:	redhatsecurebootca5.cer
+Source1:	vendor_db.esl
 %if 0%{?dbxfile}
 Source2:	%{dbxfile}
 %endif
-Source3:	sbat.redhat.csv
+Source3:	sbat.almalinux.csv
 Source4:	shim.patches
 Source100:	shim-find-debuginfo.sh
-Patch0001:	0001-Fix-a-broken-file-header-on-ia32.patch
+%include %{SOURCE4}
 BuildRequires:	gcc make
 BuildRequires:	elfutils-libelf-devel
@ -94,7 +95,7 @@ BuildArch:	noarch
 %debug_desc
 %prep
-%autosetup -S git -n shim-%{version}
+%autosetup -S git_am -n shim-%{version}
 git config --unset user.email
 git config --unset user.name
 mkdir build-%{efiarch}
@ -108,7 +109,7 @@ MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_SHIM_HASH=true "
 MAKEFLAGS+="%{_smp_mflags}"
 if [ -f "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=%{SOURCE1}"
 fi
 %if 0%{?dbxfile}
 if [ -f "%{SOURCE2}" ]; then
@ -122,20 +123,13 @@ make ${MAKEFLAGS} \
 	all
 cd ..
 cd build-%{efialtarch}
 setarch linux32 -B make ${MAKEFLAGS} \
 	ARCH=%{efialtarch} \
 	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
 	all
 cd ..
 %install
 COMMITID=$(cat commit)
 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_SHIM_HASH=true "
 if [ -f "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=%{SOURCE1}"
 fi
 %if 0%{?dbxfile}
 if [ -f "%{SOURCE2}" ]; then
@ -150,14 +144,6 @@ make ${MAKEFLAGS} \
 	install-as-data install-debuginfo install-debugsource
 cd ..
 cd build-%{efialtarch}
 setarch linux32 make ${MAKEFLAGS} \
 	ARCH=%{efialtarch} \
 	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
 	DESTDIR=${RPM_BUILD_ROOT} \
 	install-as-data install-debuginfo install-debugsource
 cd ..
 %files
 %license COPYRIGHT
 %dir %{shimrootdir}
@ -167,22 +153,22 @@ cd ..
 %{shimdir}/*.hash
 %{shimdir}/*.CSV
 %files -n shim-unsigned-%{efialtarch}
 %license COPYRIGHT
 %dir %{shimrootdir}
 %dir %{shimversiondir}
 %dir %{shimaltdir}
 %{shimaltdir}/*.efi
 %{shimaltdir}/*.hash
 %{shimaltdir}/*.CSV
 %files debuginfo -f build-%{efiarch}/debugfiles.list
 %files -n shim-unsigned-%{efialtarch}-debuginfo -f build-%{efialtarch}/debugfiles.list
 %files debugsource -f build-%{efiarch}/debugsource.list
 %changelog
 * Thu Mar 09 2023 Eduard Abdullin <eabdullin@almalinux.org> - 15.6-1.el9.alma.1
 - Use AlmaLinux vendor cert and SBAT entry
 * Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el9
 - Update to shim-15.6
  Resolves: CVE-2022-28737
 * Wed Mar 09 2022 Peter Jones <pjones@redhat.com> - 15.5-1
 - Update to shim-15.5
  Related: rhbz#1932057
 * Thu Apr 01 2021 Peter Jones <pjones@redhat.com> - 15.4-4
 - Fix the sbat data to actually match /this/ product.
  Resolves: CVE-2020-14372
@ -251,17 +237,24 @@ cd ..
 - Fix MoK mirroring issue which breaks kdump without intervention
  Related: rhbz#1668966
-* Fri Jul 20 2018 Peter Jones <pjones@redhat.com> - 15-1
+* Thu Apr 05 2018 Peter Jones <pjones@redhat.com> - 15-1
 - Update to shim 15
 - better checking for bad linker output
 - flicker-free console if there's no error output
 - improved http boot support
 - better protocol re-installation
 - dhcp proxy support
 - tpm measurement even when verification is disabled
 - REQUIRE_TPM build flag
 - more reproducable builds
 - measurement of everything verified through shim_verify()
 - coverity and scan-build checker make targets
 - misc cleanups
-* Tue Sep 19 2017 Peter Jones <pjones@redhat.com> - 13-3
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 13-0.2
- Actually update to the *real* 13 final.
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
  Related: rhbz#1489604
-* Thu Aug 31 2017 Peter Jones <pjones@redhat.com> - 13-2
+* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-0.1
 - Actually update to 13 final.
 * Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-1
 - Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one.
 - This will (eventually) supersede what's in the "shim" package so we can
  make "shim" hold the signed one, which will confuse fewer people.
Author	SHA1	Message	Date
eabdullin	59e5bf0158	- Use AlmaLinux cert and SBAT entry	2023-03-09 10:39:54 +03:00
eabdullin	7b7c17dc74	AlmaLinux chages	2022-06-17 16:15:44 +03:00
CentOS Sources	8e51097acc	import shim-unsigned-x64-15.6-1.el9	2022-06-17 16:01:35 +03:00
CentOS Sources	8e678969ab	import shim-unsigned-x64-15.5-1.el9	2022-06-17 16:01:33 +03:00
Andrew Lukoshko	7d184fed57	AlmaLinux changes	2021-09-15 11:46:22 +00:00
`@ -1 +1 @@`
	`SOURCES/shim-15.4.tar.bz2`	`SOURCES/shim-15.6.tar.bz2`
`@ -1 +1 @@`
	`d70485792a300bfa66f551adf7ae766451dfe7c0 SOURCES/shim-15.4.tar.bz2`	`3df0ab5cefc74fdf865cb36aea0e923cb4b6b3ed SOURCES/shim-15.6.tar.bz2`
		`@ -0,0 +1 @@`
							`shim.almalinux,2,AlmaLinux,shim,15.6,security@almalinux.org`
		`@ -1 +0,0 @@`
			`shim.redhat,1,Red Hat,shim,15.4-4,secalert@redhat.com`