Compare commits

..

No commits in common. "c8" and "c10s-centos" have entirely different histories.

13 changed files with 163 additions and 115 deletions

10
.gitignore vendored
View File

@ -1,2 +1,8 @@
SOURCES/redhatsecurebootca5.cer *~
SOURCES/shim-15.8.tar.bz2 *.tar.*
*.rpm
.build*.log
.*.sw?
clog
rhtest.cer
shim-*/

View File

@ -1,2 +0,0 @@
e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer
cdec924ca437a4509dcb178396996ddf92c11183 SOURCES/shim-15.8.tar.bz2

3
README.md Normal file
View File

@ -0,0 +1,3 @@
# shim-unsigned-x64
The shim-unsigned-x64 package

View File

@ -1 +0,0 @@
shim.redhat,3,Red Hat Inc,shim,15.8,secalert@redhat.com
1 shim.redhat 3 Red Hat Inc shim 15.8 secalert@redhat.com

6
gating.yaml Normal file
View File

@ -0,0 +1,6 @@
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: manual.sst_desktop.shim.functional}

15
rpminspect.yaml Normal file
View File

@ -0,0 +1,15 @@
---
inspections:
# These just flag when things change "too much"
changedfiles: off
filesize: off
patches: off
upstream: off
# shim is... well, shim
disttag: off
elf:
# This is PE-land
exclude_path: ".*.efi.debug"

1
sbat.centos.csv Normal file
View File

@ -0,0 +1 @@
shim.centos,3,The CentOS Project,shim,15.8,security@centos.org
1 shim.centos 3 The CentOS Project shim 15.8 security@centos.org

View File

@ -20,9 +20,9 @@ fi
findsource() findsource()
{ {
( (
cd ${RPM_BUILD_ROOT} cd "${RPM_BUILD_ROOT}"
find usr/src/debug/ -type d | sed "s,^,%dir /," find usr/src/debug/ -type d | sed -e "s,^,%dir /," | sort -u | tac
find usr/src/debug/ -type f | sed "s,^,/," find usr/src/debug/ -type f | sed -e "s,^,/," | sort -u | tac
) )
} }
@ -32,9 +32,12 @@ finddebug()
declare -a dirs=() declare -a dirs=()
declare -a files=() declare -a files=()
declare -a excludes=() declare -a excludes=()
declare -a tmp=()
pushd ${RPM_BUILD_ROOT} >/dev/null 2>&1 pushd "${RPM_BUILD_ROOT}" >/dev/null 2>&1
for x in $(find usr/lib/debug/ -type f -iname *.efi.debug); do
mapfile -t tmp < <(find usr/lib/debug/ -type f -iname "*.efi.debug")
for x in "${tmp[@]}" ; do
if ! [ -e "${x}" ]; then if ! [ -e "${x}" ]; then
break break
fi fi
@ -57,8 +60,10 @@ finddebug()
excludes[${#excludes[@]}]=${x%%.debug} excludes[${#excludes[@]}]=${x%%.debug}
fi fi
done done
for x in ${files[@]} ; do for x in "${files[@]}" ; do
declare name=$(dirname /${x}) declare name
name=$(dirname "/${x}")
while [ "${name}" != "/" ]; do while [ "${name}" != "/" ]; do
case "${name}" in case "${name}" in
"/usr/lib/debug"|"/usr/lib"|"/usr") "/usr/lib/debug"|"/usr/lib"|"/usr")
@ -67,24 +72,24 @@ finddebug()
dirs[${#dirs[@]}]=${name} dirs[${#dirs[@]}]=${name}
;; ;;
esac esac
name=$(dirname ${name}) name=$(dirname "${name}")
done done
done done
popd >/dev/null 2>&1 popd >/dev/null 2>&1
for x in ${dirs[@]} ; do for x in "${dirs[@]}" ; do
echo "%dir ${x}" echo "%dir ${x}"
done | sort | uniq done | sort | uniq
for x in ${files[@]} ; do for x in "${files[@]}" ; do
echo "/${x}" echo "/${x}"
done | sort | uniq done | sort | uniq
for x in ${excludes[@]} ; do for x in "${excludes[@]}" ; do
echo "%exclude /${x}" echo "%exclude /${x}"
done done
} }
findsource > build-${mainarch}/debugsource.list findsource > "build-${mainarch}/debugsource.list"
finddebug ${mainarch} > build-${mainarch}/debugfiles.list finddebug "${mainarch}" > "build-${mainarch}/debugfiles.list"
if [ -v altarch ]; then if [ -v altarch ]; then
finddebug ${altarch} > build-${altarch}/debugfiles.list finddebug "${altarch}" > "build-${altarch}/debugfiles.list"
fi fi

View File

@ -1,13 +1,6 @@
%global pesign_vre 0.106-1 %global pesign_vre 0.106-1
%global gnuefi_vre 1:3.0.5-6
%global openssl_vre 1.0.2j %global openssl_vre 1.0.2j
%global debug_package %{nil}
%global __debug_package 1
%global _binaries_in_noarch_packages_terminate_build 0
%global __debug_install_post %{SOURCE100} x64 ia32
%undefine _debuginfo_subpackages
%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/')) %global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
%global shimrootdir %{_datadir}/shim/ %global shimrootdir %{_datadir}/shim/
%global shimversiondir %{shimrootdir}/%{version}-%{release} %global shimversiondir %{shimrootdir}/%{version}-%{release}
@ -16,19 +9,28 @@
%global efialtarch ia32 %global efialtarch ia32
%global shimaltdir %{shimversiondir}/%{efialtarch} %global shimaltdir %{shimversiondir}/%{efialtarch}
%global debug_package %{nil}
%global __debug_package 1
%global _binaries_in_noarch_packages_terminate_build 0
%global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch}
%undefine _debuginfo_subpackages
# currently here's what's in our dbx: nothing
%global dbxfile %{nil}
Name: shim-unsigned-%{efiarch} Name: shim-unsigned-%{efiarch}
Version: 15.8 Version: 15.8
Release: 2.el8 Release: 3.el10.centos
Summary: First-stage UEFI bootloader Summary: First-stage UEFI bootloader
ExclusiveArch: x86_64 ExclusiveArch: x86_64
License: BSD License: BSD
URL: https://github.com/rhboot/shim URL: https://github.com/rhboot/shim
Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
Source1: redhatsecurebootca5.cer Source1: vendordb.esl
# currently here's what's in our dbx: %if 0%{?dbxfile}
# nothing. Source2: %{dbxfile}
Source2: dbx.esl %endif
Source3: sbat.redhat.csv Source3: sbat.centos.csv
Source4: shim.patches Source4: shim.patches
Source100: shim-find-debuginfo.sh Source100: shim-find-debuginfo.sh
@ -40,6 +42,7 @@ BuildRequires: elfutils-libelf-devel
BuildRequires: git openssl-devel openssl BuildRequires: git openssl-devel openssl
BuildRequires: pesign >= %{pesign_vre} BuildRequires: pesign >= %{pesign_vre}
BuildRequires: dos2unix findutils BuildRequires: dos2unix findutils
BuildRequires: system-sb-certs
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
# compatible with SysV (there's no red zone under UEFI) and there isn't a # compatible with SysV (there's no red zone under UEFI) and there isn't a
@ -67,7 +70,6 @@ Provides: bundled(openssl) = %{openssl_vre}
%package debuginfo %package debuginfo
Summary: Debug information for shim-unsigned-%{efiarch} Summary: Debug information for shim-unsigned-%{efiarch}
Requires: %{name}-debugsource = %{version}-%{release}
Group: Development/Debug Group: Development/Debug
AutoReqProv: 0 AutoReqProv: 0
BuildArch: noarch BuildArch: noarch
@ -78,7 +80,6 @@ BuildArch: noarch
%package -n shim-unsigned-%{efialtarch}-debuginfo %package -n shim-unsigned-%{efialtarch}-debuginfo
Summary: Debug information for shim-unsigned-%{efialtarch} Summary: Debug information for shim-unsigned-%{efialtarch}
Group: Development/Debug Group: Development/Debug
Requires: %{name}-debugsource = %{version}-%{release}
AutoReqProv: 0 AutoReqProv: 0
BuildArch: noarch BuildArch: noarch
@ -109,12 +110,14 @@ MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
MAKEFLAGS+="ENABLE_SHIM_HASH=true " MAKEFLAGS+="ENABLE_SHIM_HASH=true "
MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
MAKEFLAGS+="%{_smp_mflags}" MAKEFLAGS+="%{_smp_mflags}"
if [ -s "%{SOURCE1}" ]; then if [ -f "/etc/pki/sb-certs/secureboot-ca-x86_64.cer" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} " MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=/etc/pki/sb-certs/secureboot-ca-x86_64.cer"
fi fi
if [ -s "%{SOURCE2}" ]; then %if 0%{?dbxfile}
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} " if [ -f "%{SOURCE2}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
fi fi
%endif
cd build-%{efiarch} cd build-%{efiarch}
make ${MAKEFLAGS} \ make ${MAKEFLAGS} \
@ -122,24 +125,20 @@ make ${MAKEFLAGS} \
all all
cd .. cd ..
cd build-%{efialtarch}
setarch linux32 -B make ${MAKEFLAGS} ARCH=%{efialtarch} \
DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
all
cd ..
%install %install
COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6 COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} " MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " MAKEFLAGS+="ENABLE_SHIM_HASH=true "
MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
if [ -s "%{SOURCE1}" ]; then if [ -f "/etc/pki/sb-certs/secureboot-ca-x86_64.cer" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} " MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=/etc/pki/sb-certs/secureboot-ca-x86_64.cer"
fi fi
if [ -s "%{SOURCE2}" ]; then %if 0%{?dbxfile}
if [ -f "%{SOURCE2}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} " MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
fi fi
%endif
cd build-%{efiarch} cd build-%{efiarch}
make ${MAKEFLAGS} \ make ${MAKEFLAGS} \
@ -148,89 +147,97 @@ make ${MAKEFLAGS} \
install-as-data install-debuginfo install-debugsource install-as-data install-debuginfo install-debugsource
cd .. cd ..
cd build-%{efialtarch}
setarch linux32 make ${MAKEFLAGS} ARCH=%{efialtarch} \
DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
DESTDIR=${RPM_BUILD_ROOT} \
install-as-data install-debuginfo install-debugsource
cd ..
%files %files
%license COPYRIGHT %license COPYRIGHT
%dir %{shimrootdir} %dir %{shimrootdir}
%dir %{shimversiondir} %dir %{shimversiondir}
%dir %{shimdir} %dir %{shimdir}
%{shimdir}/*.CSV
%{shimdir}/*.efi %{shimdir}/*.efi
%{shimdir}/*.hash %{shimdir}/*.hash
%{shimdir}/*.CSV
%files -n shim-unsigned-%{efialtarch}
%license COPYRIGHT
%dir %{shimrootdir}
%dir %{shimversiondir}
%dir %{shimaltdir}
%{shimaltdir}/*.CSV
%{shimaltdir}/*.efi
%{shimaltdir}/*.hash
%files debuginfo -f build-%{efiarch}/debugfiles.list %files debuginfo -f build-%{efiarch}/debugfiles.list
%files -n shim-unsigned-%{efialtarch}-debuginfo -f build-%{efialtarch}/debugfiles.list
%files debugsource -f build-%{efiarch}/debugsource.list %files debugsource -f build-%{efiarch}/debugsource.list
%changelog %changelog
* Wed Feb 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el8 * Mon Nov 18 2024 Brian Stinson <bstinson@redhat.com> - 15.8-3.el10.centos
- Build shim-unsigned for CentOS Stream 10
Related: RHEL-4391
* Wed Feb 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el9
- Rebuild to fix the commit ident and MAKEFLAGS - Rebuild to fix the commit ident and MAKEFLAGS
Resolves: RHEL-11259 Resolves: RHEL-56466
* Tue Dec 05 2023 Peter Jones <pjones@redhat.com> - 15.8-1.el8 * Tue Jan 23 2024 Peter Jones <pjones@redhat.com> - 15.8-1.el9
- Update to shim-15.8 for CVE-2023-40547 - Update to shim-15.8 for CVE-2023-40547
Resolves: RHEL-11259 Resolves: RHEL-56466
* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el8 * Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el9
- Update to shim-15.6 - Update to shim-15.6
Resolves: CVE-2022-28737 Resolves: CVE-2022-28737
* Thu Sep 17 2020 Peter Jones <pjones@redhat.com> - 15-9.el8 * Wed Mar 09 2022 Peter Jones <pjones@redhat.com> - 15.5-1
- Fix an incorrect allocation size. - Update to shim-15.5
Related: rhbz#1877253 Related: rhbz#1932057
* Thu Jul 30 2020 Peter Jones <pjones@redhat.com> - 15-8 * Thu Apr 01 2021 Peter Jones <pjones@redhat.com> - 15.4-4
- Fix a load-address-dependent forever loop. - Fix the sbat data to actually match /this/ product.
Resolves: rhbz#1861977 Resolves: CVE-2020-14372
Related: CVE-2020-10713 Resolves: CVE-2020-25632
Related: CVE-2020-14308 Resolves: CVE-2020-25647
Related: CVE-2020-14309 Resolves: CVE-2020-27749
Related: CVE-2020-14310 Resolves: CVE-2020-27779
Related: CVE-2020-14311 Resolves: CVE-2021-20225
Related: CVE-2020-15705 Resolves: CVE-2021-20233
Related: CVE-2020-15706
Related: CVE-2020-15707
* Sat Jul 25 2020 Peter Jones <pjones@redhat.com> - 15-7 * Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-3
- Implement Lenny's workaround - Build with the correct certificate trust list for this OS.
Related: CVE-2020-10713 Resolves: CVE-2020-14372
Related: CVE-2020-14308 Resolves: CVE-2020-25632
Related: CVE-2020-14309 Resolves: CVE-2020-25647
Related: CVE-2020-14310 Resolves: CVE-2020-27749
Related: CVE-2020-14311 Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 15-5 * Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-2
- Once more with the MokListRT config table patch added. - Fix the ia32 build.
Related: CVE-2020-10713 Resolves: CVE-2020-14372
Related: CVE-2020-14308 Resolves: CVE-2020-25632
Related: CVE-2020-14309 Resolves: CVE-2020-25647
Related: CVE-2020-14310 Resolves: CVE-2020-27749
Related: CVE-2020-14311 Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Thu Jul 23 2020 Peter Jones <pjones@redhat.com> - 15-4 * Tue Mar 30 2021 Peter Jones <pjones@redhat.com> - 15.4-1
- Rebuild for bug fixes and new signing keys - Update to shim 15.4
Related: CVE-2020-10713 - Support for revocations via the ".sbat" section and SBAT EFI variable
Related: CVE-2020-14308 - A new unit test framework and a bunch of unit tests
Related: CVE-2020-14309 - No external gnu-efi dependency
Related: CVE-2020-14310 - Better CI
Related: CVE-2020-14311 Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Wed Mar 24 2021 Peter Jones <pjones@redhat.com> - 15.3-0~1
- Update to shim 15.3
- Support for revocations via the ".sbat" section and SBAT EFI variable
- A new unit test framework and a bunch of unit tests
- No external gnu-efi dependency
- Better CI
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3 * Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3
- Make EFI variable copying fatal only on secureboot enabled systems - Make EFI variable copying fatal only on secureboot enabled systems
@ -242,17 +249,24 @@ cd ..
- Fix MoK mirroring issue which breaks kdump without intervention - Fix MoK mirroring issue which breaks kdump without intervention
Related: rhbz#1668966 Related: rhbz#1668966
* Fri Jul 20 2018 Peter Jones <pjones@redhat.com> - 15-1 * Thu Apr 05 2018 Peter Jones <pjones@redhat.com> - 15-1
- Update to shim 15 - Update to shim 15
- better checking for bad linker output
- flicker-free console if there's no error output
- improved http boot support
- better protocol re-installation
- dhcp proxy support
- tpm measurement even when verification is disabled
- REQUIRE_TPM build flag
- more reproducable builds
- measurement of everything verified through shim_verify()
- coverity and scan-build checker make targets
- misc cleanups
* Tue Sep 19 2017 Peter Jones <pjones@redhat.com> - 13-3 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 13-0.2
- Actually update to the *real* 13 final. - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
Related: rhbz#1489604
* Thu Aug 31 2017 Peter Jones <pjones@redhat.com> - 13-2 * Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-0.1
- Actually update to 13 final.
* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-1
- Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one. - Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one.
- This will (eventually) supersede what's in the "shim" package so we can - This will (eventually) supersede what's in the "shim" package so we can
make "shim" hold the signed one, which will confuse fewer people. make "shim" hold the signed one, which will confuse fewer people.

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (shim-15.8.tar.bz2) = 30b3390ae935121ea6fe728d8f59d37ded7b918ad81bea06e213464298b4bdabbca881b30817965bd397facc596db1ad0b8462a84c87896ce6c1204b19371cd1

0
vendordb.esl Normal file
View File