%global pesign_vre 0.106-1 %global openssl_vre 1.0.2j %global efidir almalinux %global shimrootdir %{_datadir}/shim/ %global shimversiondir %{shimrootdir}/%{version}-%{release} %global efiarch x64 %global shimdir %{shimversiondir}/%{efiarch} %global efialtarch ia32 %global shimaltdir %{shimversiondir}/%{efialtarch} %global debug_package %{nil} %global __debug_package 1 %global _binaries_in_noarch_packages_terminate_build 0 %global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch} %undefine _debuginfo_subpackages Name: shim-unsigned-%{efiarch} Version: 15.8 Release: 2.el9.alma.1 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 License: BSD URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 # currently here's what's in our dbx: # nothing. Source2: dbx.esl Source3: sbat.almalinux.csv Source4: shim.patches Source100: shim-find-debuginfo.sh Source101: almalinux-sb-cert-1.der Source102: almalinux-sb-cert-2.der Source103: almalinux-sb-cert-3.der %include %{SOURCE4} BuildRequires: gcc make BuildRequires: elfutils-libelf-devel BuildRequires: git openssl-devel openssl BuildRequires: pesign >= %{pesign_vre} BuildRequires: dos2unix findutils # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not # compatible with SysV (there's no red zone under UEFI) and there isn't a # POSIX-style C library. # BuildRequires: OpenSSL Provides: bundled(openssl) = %{openssl_vre} %global desc \ Initial UEFI bootloader that handles chaining to a trusted full \ bootloader under secure boot environments. %global debug_desc \ This package provides debug information for package %{expand:%%{name}} \ Debug information is useful when developing applications that \ use this package or when debugging this package. %description %desc %package -n shim-unsigned-%{efialtarch} Summary: First-stage UEFI bootloader (unsigned data) Provides: bundled(openssl) = %{openssl_vre} %description -n shim-unsigned-%{efialtarch} %desc %package debuginfo Summary: Debug information for shim-unsigned-%{efiarch} Group: Development/Debug AutoReqProv: 0 BuildArch: noarch %description debuginfo %debug_desc %package -n shim-unsigned-%{efialtarch}-debuginfo Summary: Debug information for shim-unsigned-%{efialtarch} Group: Development/Debug AutoReqProv: 0 BuildArch: noarch %description -n shim-unsigned-%{efialtarch}-debuginfo %debug_desc %package debugsource Summary: Debug Source for shim-unsigned Group: Development/Debug AutoReqProv: 0 BuildArch: noarch %description debugsource %debug_desc %prep %autosetup -S git_am -n shim-%{version} git config --unset user.email git config --unset user.name mkdir build-%{efiarch} mkdir build-%{efialtarch} cp %{SOURCE3} data/ %build # Prepare vendor_db.esl file openssl x509 -inform DER -in %{SOURCE101} -out 01.pem openssl x509 -inform DER -in %{SOURCE102} -out 02.pem openssl x509 -inform DER -in %{SOURCE103} -out 03.pem cert-to-efi-sig-list -g 9DD8A2AC-0977-4AEF-99A0-E794FD2A31FE 01.pem 01.esl cert-to-efi-sig-list -g 33D81FE3-5EC0-44F8-AB02-C9DA554F63D8 02.pem 02.esl cert-to-efi-sig-list -g 50413300-1AC7-49DA-B755-BB0D93E634B6 03.pem 03.esl cat 01.esl 02.esl 03.esl > vendor_db.esl COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_SHIM_HASH=true " MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " MAKEFLAGS+="%{_smp_mflags}" if [ -s vendor_db.esl ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl" fi if [ -s "%{SOURCE2}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" fi cd build-%{efiarch} make ${MAKEFLAGS} \ DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \ all cd .. %install COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_SHIM_HASH=true " MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " if [ -s vendor_db.esl ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl" fi if [ -s "%{SOURCE2}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" fi cd build-%{efiarch} make ${MAKEFLAGS} \ DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \ DESTDIR=${RPM_BUILD_ROOT} \ install-as-data install-debuginfo install-debugsource cd .. %files %license COPYRIGHT %dir %{shimrootdir} %dir %{shimversiondir} %dir %{shimdir} %{shimdir}/*.CSV %{shimdir}/*.efi %{shimdir}/*.hash %files debuginfo -f build-%{efiarch}/debugfiles.list %files debugsource -f build-%{efiarch}/debugsource.list %changelog * Tue Mar 26 2024 Eduard Abdullin - 15.8-2.el9.alma.1 - Update to shim-15.8 * Wed Feb 07 2024 Peter Jones - 15.8-2.el9 - Rebuild to fix the commit ident and MAKEFLAGS Resolves: RHEL-11262 * Tue Jan 23 2024 Peter Jones - 15.8-1.el9 - Update to shim-15.8 for CVE-2023-40547 Resolves: RHEL-11262 * Wed Jun 01 2022 Peter Jones - 15.6-1.el9 - Update to shim-15.6 for CVE-2022-28737 * Tue May 24 2022 Peter Jones - 15.6~rc1-1.el9 - Update to shim-15.6~rc1 for CVE-2022-28737 * Wed Mar 09 2022 Peter Jones - 15.5-1 - Update to shim-15.5 Related: rhbz#1932057 * Thu Apr 01 2021 Peter Jones - 15.4-4 - Fix the sbat data to actually match /this/ product. Resolves: CVE-2020-14372 Resolves: CVE-2020-25632 Resolves: CVE-2020-25647 Resolves: CVE-2020-27749 Resolves: CVE-2020-27779 Resolves: CVE-2021-20225 Resolves: CVE-2021-20233 * Wed Mar 31 2021 Peter Jones - 15.4-3 - Build with the correct certificate trust list for this OS. Resolves: CVE-2020-14372 Resolves: CVE-2020-25632 Resolves: CVE-2020-25647 Resolves: CVE-2020-27749 Resolves: CVE-2020-27779 Resolves: CVE-2021-20225 Resolves: CVE-2021-20233 * Wed Mar 31 2021 Peter Jones - 15.4-2 - Fix the ia32 build. Resolves: CVE-2020-14372 Resolves: CVE-2020-25632 Resolves: CVE-2020-25647 Resolves: CVE-2020-27749 Resolves: CVE-2020-27779 Resolves: CVE-2021-20225 Resolves: CVE-2021-20233 * Tue Mar 30 2021 Peter Jones - 15.4-1 - Update to shim 15.4 - Support for revocations via the ".sbat" section and SBAT EFI variable - A new unit test framework and a bunch of unit tests - No external gnu-efi dependency - Better CI Resolves: CVE-2020-14372 Resolves: CVE-2020-25632 Resolves: CVE-2020-25647 Resolves: CVE-2020-27749 Resolves: CVE-2020-27779 Resolves: CVE-2021-20225 Resolves: CVE-2021-20233 * Wed Mar 24 2021 Peter Jones - 15.3-0~1 - Update to shim 15.3 - Support for revocations via the ".sbat" section and SBAT EFI variable - A new unit test framework and a bunch of unit tests - No external gnu-efi dependency - Better CI Resolves: CVE-2020-14372 Resolves: CVE-2020-25632 Resolves: CVE-2020-25647 Resolves: CVE-2020-27749 Resolves: CVE-2020-27779 Resolves: CVE-2021-20225 Resolves: CVE-2021-20233 * Wed Jun 05 2019 Javier Martinez Canillas - 15-3 - Make EFI variable copying fatal only on secureboot enabled systems Resolves: rhbz#1715878 - Fix booting shim from an EFI shell using a relative path Resolves: rhbz#1717064 * Tue Feb 12 2019 Peter Jones - 15-2 - Fix MoK mirroring issue which breaks kdump without intervention Related: rhbz#1668966 * Thu Apr 05 2018 Peter Jones - 15-1 - Update to shim 15 - better checking for bad linker output - flicker-free console if there's no error output - improved http boot support - better protocol re-installation - dhcp proxy support - tpm measurement even when verification is disabled - REQUIRE_TPM build flag - more reproducable builds - measurement of everything verified through shim_verify() - coverity and scan-build checker make targets - misc cleanups * Fri Feb 09 2018 Fedora Release Engineering - 13-0.2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild * Fri Aug 18 2017 Peter Jones - 13-0.1 - Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one. - This will (eventually) supersede what's in the "shim" package so we can make "shim" hold the signed one, which will confuse fewer people.