Compare commits
No commits in common. "c8" and "c10s-centos" have entirely different histories.
c8
...
c10s-cento
10
.gitignore
vendored
10
.gitignore
vendored
@ -1,2 +1,8 @@
|
||||
SOURCES/redhatsecurebootca5.cer
|
||||
SOURCES/shim-15.8.tar.bz2
|
||||
*~
|
||||
*.tar.*
|
||||
*.rpm
|
||||
.build*.log
|
||||
.*.sw?
|
||||
clog
|
||||
rhtest.cer
|
||||
shim-*/
|
||||
|
@ -1,2 +0,0 @@
|
||||
e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer
|
||||
cdec924ca437a4509dcb178396996ddf92c11183 SOURCES/shim-15.8.tar.bz2
|
@ -1 +0,0 @@
|
||||
shim.redhat,3,Red Hat Inc,shim,15.8,secalert@redhat.com
|
|
6
gating.yaml
Normal file
6
gating.yaml
Normal file
@ -0,0 +1,6 @@
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-9
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: manual.sst_desktop.shim.functional}
|
15
rpminspect.yaml
Normal file
15
rpminspect.yaml
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
inspections:
|
||||
# These just flag when things change "too much"
|
||||
changedfiles: off
|
||||
filesize: off
|
||||
patches: off
|
||||
upstream: off
|
||||
|
||||
# shim is... well, shim
|
||||
disttag: off
|
||||
|
||||
|
||||
elf:
|
||||
# This is PE-land
|
||||
exclude_path: ".*.efi.debug"
|
1
sbat.centos.csv
Normal file
1
sbat.centos.csv
Normal file
@ -0,0 +1 @@
|
||||
shim.centos,3,The CentOS Project,shim,15.8,security@centos.org
|
|
@ -20,9 +20,9 @@ fi
|
||||
findsource()
|
||||
{
|
||||
(
|
||||
cd ${RPM_BUILD_ROOT}
|
||||
find usr/src/debug/ -type d | sed "s,^,%dir /,"
|
||||
find usr/src/debug/ -type f | sed "s,^,/,"
|
||||
cd "${RPM_BUILD_ROOT}"
|
||||
find usr/src/debug/ -type d | sed -e "s,^,%dir /," | sort -u | tac
|
||||
find usr/src/debug/ -type f | sed -e "s,^,/," | sort -u | tac
|
||||
)
|
||||
}
|
||||
|
||||
@ -32,9 +32,12 @@ finddebug()
|
||||
declare -a dirs=()
|
||||
declare -a files=()
|
||||
declare -a excludes=()
|
||||
declare -a tmp=()
|
||||
|
||||
pushd ${RPM_BUILD_ROOT} >/dev/null 2>&1
|
||||
for x in $(find usr/lib/debug/ -type f -iname *.efi.debug); do
|
||||
pushd "${RPM_BUILD_ROOT}" >/dev/null 2>&1
|
||||
|
||||
mapfile -t tmp < <(find usr/lib/debug/ -type f -iname "*.efi.debug")
|
||||
for x in "${tmp[@]}" ; do
|
||||
if ! [ -e "${x}" ]; then
|
||||
break
|
||||
fi
|
||||
@ -57,8 +60,10 @@ finddebug()
|
||||
excludes[${#excludes[@]}]=${x%%.debug}
|
||||
fi
|
||||
done
|
||||
for x in ${files[@]} ; do
|
||||
declare name=$(dirname /${x})
|
||||
for x in "${files[@]}" ; do
|
||||
declare name
|
||||
|
||||
name=$(dirname "/${x}")
|
||||
while [ "${name}" != "/" ]; do
|
||||
case "${name}" in
|
||||
"/usr/lib/debug"|"/usr/lib"|"/usr")
|
||||
@ -67,24 +72,24 @@ finddebug()
|
||||
dirs[${#dirs[@]}]=${name}
|
||||
;;
|
||||
esac
|
||||
name=$(dirname ${name})
|
||||
name=$(dirname "${name}")
|
||||
done
|
||||
done
|
||||
|
||||
popd >/dev/null 2>&1
|
||||
for x in ${dirs[@]} ; do
|
||||
for x in "${dirs[@]}" ; do
|
||||
echo "%dir ${x}"
|
||||
done | sort | uniq
|
||||
for x in ${files[@]} ; do
|
||||
for x in "${files[@]}" ; do
|
||||
echo "/${x}"
|
||||
done | sort | uniq
|
||||
for x in ${excludes[@]} ; do
|
||||
for x in "${excludes[@]}" ; do
|
||||
echo "%exclude /${x}"
|
||||
done
|
||||
}
|
||||
|
||||
findsource > build-${mainarch}/debugsource.list
|
||||
finddebug ${mainarch} > build-${mainarch}/debugfiles.list
|
||||
findsource > "build-${mainarch}/debugsource.list"
|
||||
finddebug "${mainarch}" > "build-${mainarch}/debugfiles.list"
|
||||
if [ -v altarch ]; then
|
||||
finddebug ${altarch} > build-${altarch}/debugfiles.list
|
||||
finddebug "${altarch}" > "build-${altarch}/debugfiles.list"
|
||||
fi
|
@ -1,13 +1,6 @@
|
||||
%global pesign_vre 0.106-1
|
||||
%global gnuefi_vre 1:3.0.5-6
|
||||
%global openssl_vre 1.0.2j
|
||||
|
||||
%global debug_package %{nil}
|
||||
%global __debug_package 1
|
||||
%global _binaries_in_noarch_packages_terminate_build 0
|
||||
%global __debug_install_post %{SOURCE100} x64 ia32
|
||||
%undefine _debuginfo_subpackages
|
||||
|
||||
%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
|
||||
%global shimrootdir %{_datadir}/shim/
|
||||
%global shimversiondir %{shimrootdir}/%{version}-%{release}
|
||||
@ -16,19 +9,28 @@
|
||||
%global efialtarch ia32
|
||||
%global shimaltdir %{shimversiondir}/%{efialtarch}
|
||||
|
||||
%global debug_package %{nil}
|
||||
%global __debug_package 1
|
||||
%global _binaries_in_noarch_packages_terminate_build 0
|
||||
%global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch}
|
||||
%undefine _debuginfo_subpackages
|
||||
|
||||
# currently here's what's in our dbx: nothing
|
||||
%global dbxfile %{nil}
|
||||
|
||||
Name: shim-unsigned-%{efiarch}
|
||||
Version: 15.8
|
||||
Release: 2.el8
|
||||
Release: 3.el10.centos
|
||||
Summary: First-stage UEFI bootloader
|
||||
ExclusiveArch: x86_64
|
||||
License: BSD
|
||||
URL: https://github.com/rhboot/shim
|
||||
Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
|
||||
Source1: redhatsecurebootca5.cer
|
||||
# currently here's what's in our dbx:
|
||||
# nothing.
|
||||
Source2: dbx.esl
|
||||
Source3: sbat.redhat.csv
|
||||
Source1: vendordb.esl
|
||||
%if 0%{?dbxfile}
|
||||
Source2: %{dbxfile}
|
||||
%endif
|
||||
Source3: sbat.centos.csv
|
||||
Source4: shim.patches
|
||||
|
||||
Source100: shim-find-debuginfo.sh
|
||||
@ -40,6 +42,7 @@ BuildRequires: elfutils-libelf-devel
|
||||
BuildRequires: git openssl-devel openssl
|
||||
BuildRequires: pesign >= %{pesign_vre}
|
||||
BuildRequires: dos2unix findutils
|
||||
BuildRequires: system-sb-certs
|
||||
|
||||
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
|
||||
# compatible with SysV (there's no red zone under UEFI) and there isn't a
|
||||
@ -67,7 +70,6 @@ Provides: bundled(openssl) = %{openssl_vre}
|
||||
|
||||
%package debuginfo
|
||||
Summary: Debug information for shim-unsigned-%{efiarch}
|
||||
Requires: %{name}-debugsource = %{version}-%{release}
|
||||
Group: Development/Debug
|
||||
AutoReqProv: 0
|
||||
BuildArch: noarch
|
||||
@ -78,7 +80,6 @@ BuildArch: noarch
|
||||
%package -n shim-unsigned-%{efialtarch}-debuginfo
|
||||
Summary: Debug information for shim-unsigned-%{efialtarch}
|
||||
Group: Development/Debug
|
||||
Requires: %{name}-debugsource = %{version}-%{release}
|
||||
AutoReqProv: 0
|
||||
BuildArch: noarch
|
||||
|
||||
@ -109,12 +110,14 @@ MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
|
||||
MAKEFLAGS+="ENABLE_SHIM_HASH=true "
|
||||
MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
|
||||
MAKEFLAGS+="%{_smp_mflags}"
|
||||
if [ -s "%{SOURCE1}" ]; then
|
||||
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
|
||||
if [ -f "/etc/pki/sb-certs/secureboot-ca-x86_64.cer" ]; then
|
||||
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=/etc/pki/sb-certs/secureboot-ca-x86_64.cer"
|
||||
fi
|
||||
if [ -s "%{SOURCE2}" ]; then
|
||||
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
|
||||
%if 0%{?dbxfile}
|
||||
if [ -f "%{SOURCE2}" ]; then
|
||||
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
|
||||
fi
|
||||
%endif
|
||||
|
||||
cd build-%{efiarch}
|
||||
make ${MAKEFLAGS} \
|
||||
@ -122,24 +125,20 @@ make ${MAKEFLAGS} \
|
||||
all
|
||||
cd ..
|
||||
|
||||
cd build-%{efialtarch}
|
||||
setarch linux32 -B make ${MAKEFLAGS} ARCH=%{efialtarch} \
|
||||
DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
|
||||
all
|
||||
cd ..
|
||||
|
||||
%install
|
||||
COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
|
||||
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
|
||||
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
|
||||
MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
|
||||
MAKEFLAGS+="ENABLE_SHIM_HASH=true "
|
||||
MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
|
||||
if [ -s "%{SOURCE1}" ]; then
|
||||
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
|
||||
if [ -f "/etc/pki/sb-certs/secureboot-ca-x86_64.cer" ]; then
|
||||
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=/etc/pki/sb-certs/secureboot-ca-x86_64.cer"
|
||||
fi
|
||||
if [ -s "%{SOURCE2}" ]; then
|
||||
%if 0%{?dbxfile}
|
||||
if [ -f "%{SOURCE2}" ]; then
|
||||
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
|
||||
fi
|
||||
%endif
|
||||
|
||||
cd build-%{efiarch}
|
||||
make ${MAKEFLAGS} \
|
||||
@ -148,89 +147,97 @@ make ${MAKEFLAGS} \
|
||||
install-as-data install-debuginfo install-debugsource
|
||||
cd ..
|
||||
|
||||
cd build-%{efialtarch}
|
||||
setarch linux32 make ${MAKEFLAGS} ARCH=%{efialtarch} \
|
||||
DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
|
||||
DESTDIR=${RPM_BUILD_ROOT} \
|
||||
install-as-data install-debuginfo install-debugsource
|
||||
cd ..
|
||||
|
||||
%files
|
||||
%license COPYRIGHT
|
||||
%dir %{shimrootdir}
|
||||
%dir %{shimversiondir}
|
||||
%dir %{shimdir}
|
||||
%{shimdir}/*.CSV
|
||||
%{shimdir}/*.efi
|
||||
%{shimdir}/*.hash
|
||||
|
||||
%files -n shim-unsigned-%{efialtarch}
|
||||
%license COPYRIGHT
|
||||
%dir %{shimrootdir}
|
||||
%dir %{shimversiondir}
|
||||
%dir %{shimaltdir}
|
||||
%{shimaltdir}/*.CSV
|
||||
%{shimaltdir}/*.efi
|
||||
%{shimaltdir}/*.hash
|
||||
%{shimdir}/*.CSV
|
||||
|
||||
%files debuginfo -f build-%{efiarch}/debugfiles.list
|
||||
|
||||
%files -n shim-unsigned-%{efialtarch}-debuginfo -f build-%{efialtarch}/debugfiles.list
|
||||
|
||||
%files debugsource -f build-%{efiarch}/debugsource.list
|
||||
|
||||
%changelog
|
||||
* Wed Feb 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el8
|
||||
* Mon Nov 18 2024 Brian Stinson <bstinson@redhat.com> - 15.8-3.el10.centos
|
||||
- Build shim-unsigned for CentOS Stream 10
|
||||
Related: RHEL-4391
|
||||
|
||||
* Wed Feb 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el9
|
||||
- Rebuild to fix the commit ident and MAKEFLAGS
|
||||
Resolves: RHEL-11259
|
||||
Resolves: RHEL-56466
|
||||
|
||||
* Tue Dec 05 2023 Peter Jones <pjones@redhat.com> - 15.8-1.el8
|
||||
* Tue Jan 23 2024 Peter Jones <pjones@redhat.com> - 15.8-1.el9
|
||||
- Update to shim-15.8 for CVE-2023-40547
|
||||
Resolves: RHEL-11259
|
||||
Resolves: RHEL-56466
|
||||
|
||||
* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el8
|
||||
* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el9
|
||||
- Update to shim-15.6
|
||||
Resolves: CVE-2022-28737
|
||||
|
||||
* Thu Sep 17 2020 Peter Jones <pjones@redhat.com> - 15-9.el8
|
||||
- Fix an incorrect allocation size.
|
||||
Related: rhbz#1877253
|
||||
* Wed Mar 09 2022 Peter Jones <pjones@redhat.com> - 15.5-1
|
||||
- Update to shim-15.5
|
||||
Related: rhbz#1932057
|
||||
|
||||
* Thu Jul 30 2020 Peter Jones <pjones@redhat.com> - 15-8
|
||||
- Fix a load-address-dependent forever loop.
|
||||
Resolves: rhbz#1861977
|
||||
Related: CVE-2020-10713
|
||||
Related: CVE-2020-14308
|
||||
Related: CVE-2020-14309
|
||||
Related: CVE-2020-14310
|
||||
Related: CVE-2020-14311
|
||||
Related: CVE-2020-15705
|
||||
Related: CVE-2020-15706
|
||||
Related: CVE-2020-15707
|
||||
* Thu Apr 01 2021 Peter Jones <pjones@redhat.com> - 15.4-4
|
||||
- Fix the sbat data to actually match /this/ product.
|
||||
Resolves: CVE-2020-14372
|
||||
Resolves: CVE-2020-25632
|
||||
Resolves: CVE-2020-25647
|
||||
Resolves: CVE-2020-27749
|
||||
Resolves: CVE-2020-27779
|
||||
Resolves: CVE-2021-20225
|
||||
Resolves: CVE-2021-20233
|
||||
|
||||
* Sat Jul 25 2020 Peter Jones <pjones@redhat.com> - 15-7
|
||||
- Implement Lenny's workaround
|
||||
Related: CVE-2020-10713
|
||||
Related: CVE-2020-14308
|
||||
Related: CVE-2020-14309
|
||||
Related: CVE-2020-14310
|
||||
Related: CVE-2020-14311
|
||||
* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-3
|
||||
- Build with the correct certificate trust list for this OS.
|
||||
Resolves: CVE-2020-14372
|
||||
Resolves: CVE-2020-25632
|
||||
Resolves: CVE-2020-25647
|
||||
Resolves: CVE-2020-27749
|
||||
Resolves: CVE-2020-27779
|
||||
Resolves: CVE-2021-20225
|
||||
Resolves: CVE-2021-20233
|
||||
|
||||
* Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 15-5
|
||||
- Once more with the MokListRT config table patch added.
|
||||
Related: CVE-2020-10713
|
||||
Related: CVE-2020-14308
|
||||
Related: CVE-2020-14309
|
||||
Related: CVE-2020-14310
|
||||
Related: CVE-2020-14311
|
||||
* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-2
|
||||
- Fix the ia32 build.
|
||||
Resolves: CVE-2020-14372
|
||||
Resolves: CVE-2020-25632
|
||||
Resolves: CVE-2020-25647
|
||||
Resolves: CVE-2020-27749
|
||||
Resolves: CVE-2020-27779
|
||||
Resolves: CVE-2021-20225
|
||||
Resolves: CVE-2021-20233
|
||||
|
||||
* Thu Jul 23 2020 Peter Jones <pjones@redhat.com> - 15-4
|
||||
- Rebuild for bug fixes and new signing keys
|
||||
Related: CVE-2020-10713
|
||||
Related: CVE-2020-14308
|
||||
Related: CVE-2020-14309
|
||||
Related: CVE-2020-14310
|
||||
Related: CVE-2020-14311
|
||||
* Tue Mar 30 2021 Peter Jones <pjones@redhat.com> - 15.4-1
|
||||
- Update to shim 15.4
|
||||
- Support for revocations via the ".sbat" section and SBAT EFI variable
|
||||
- A new unit test framework and a bunch of unit tests
|
||||
- No external gnu-efi dependency
|
||||
- Better CI
|
||||
Resolves: CVE-2020-14372
|
||||
Resolves: CVE-2020-25632
|
||||
Resolves: CVE-2020-25647
|
||||
Resolves: CVE-2020-27749
|
||||
Resolves: CVE-2020-27779
|
||||
Resolves: CVE-2021-20225
|
||||
Resolves: CVE-2021-20233
|
||||
|
||||
* Wed Mar 24 2021 Peter Jones <pjones@redhat.com> - 15.3-0~1
|
||||
- Update to shim 15.3
|
||||
- Support for revocations via the ".sbat" section and SBAT EFI variable
|
||||
- A new unit test framework and a bunch of unit tests
|
||||
- No external gnu-efi dependency
|
||||
- Better CI
|
||||
Resolves: CVE-2020-14372
|
||||
Resolves: CVE-2020-25632
|
||||
Resolves: CVE-2020-25647
|
||||
Resolves: CVE-2020-27749
|
||||
Resolves: CVE-2020-27779
|
||||
Resolves: CVE-2021-20225
|
||||
Resolves: CVE-2021-20233
|
||||
|
||||
* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3
|
||||
- Make EFI variable copying fatal only on secureboot enabled systems
|
||||
@ -242,17 +249,24 @@ cd ..
|
||||
- Fix MoK mirroring issue which breaks kdump without intervention
|
||||
Related: rhbz#1668966
|
||||
|
||||
* Fri Jul 20 2018 Peter Jones <pjones@redhat.com> - 15-1
|
||||
* Thu Apr 05 2018 Peter Jones <pjones@redhat.com> - 15-1
|
||||
- Update to shim 15
|
||||
- better checking for bad linker output
|
||||
- flicker-free console if there's no error output
|
||||
- improved http boot support
|
||||
- better protocol re-installation
|
||||
- dhcp proxy support
|
||||
- tpm measurement even when verification is disabled
|
||||
- REQUIRE_TPM build flag
|
||||
- more reproducable builds
|
||||
- measurement of everything verified through shim_verify()
|
||||
- coverity and scan-build checker make targets
|
||||
- misc cleanups
|
||||
|
||||
* Tue Sep 19 2017 Peter Jones <pjones@redhat.com> - 13-3
|
||||
- Actually update to the *real* 13 final.
|
||||
Related: rhbz#1489604
|
||||
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 13-0.2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
* Thu Aug 31 2017 Peter Jones <pjones@redhat.com> - 13-2
|
||||
- Actually update to 13 final.
|
||||
|
||||
* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-1
|
||||
* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-0.1
|
||||
- Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one.
|
||||
- This will (eventually) supersede what's in the "shim" package so we can
|
||||
make "shim" hold the signed one, which will confuse fewer people.
|
1
sources
Normal file
1
sources
Normal file
@ -0,0 +1 @@
|
||||
SHA512 (shim-15.8.tar.bz2) = 30b3390ae935121ea6fe728d8f59d37ded7b918ad81bea06e213464298b4bdabbca881b30817965bd397facc596db1ad0b8462a84c87896ce6c1204b19371cd1
|
0
vendordb.esl
Normal file
0
vendordb.esl
Normal file
Loading…
Reference in New Issue
Block a user