From 335978ab58c7091741f0d3056f7650cdbf48385f Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Fri, 2 Aug 2019 12:04:09 -0400 Subject: [PATCH] import shim-15-11 --- .gitignore | 3 + .shim.metadata | 3 + SOURCES/BOOTAA64.CSV | Bin 0 -> 184 bytes SOURCES/BOOTIA32.CSV | Bin 0 -> 184 bytes SOURCES/BOOTX64.CSV | Bin 0 -> 182 bytes SOURCES/secureboot.cer | Bin 0 -> 839 bytes SOURCES/securebootca.cer | Bin 0 -> 977 bytes SOURCES/shim.rpmmacros | 171 +++++++++++++++++++++++++++++++++++++++ SPECS/shim.spec | 146 +++++++++++++++++++++++++++++++++ 9 files changed, 323 insertions(+) create mode 100644 .gitignore create mode 100644 .shim.metadata create mode 100644 SOURCES/BOOTAA64.CSV create mode 100644 SOURCES/BOOTIA32.CSV create mode 100644 SOURCES/BOOTX64.CSV create mode 100644 SOURCES/secureboot.cer create mode 100644 SOURCES/securebootca.cer create mode 100644 SOURCES/shim.rpmmacros create mode 100644 SPECS/shim.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1d48086 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +SOURCES/shimaa64.efi +SOURCES/shimia32.efi +SOURCES/shimx64.efi diff --git a/.shim.metadata b/.shim.metadata new file mode 100644 index 0000000..419f702 --- /dev/null +++ b/.shim.metadata @@ -0,0 +1,3 @@ +fddb9c22fd56e9c6975159ad72415c9a4cb7cebd SOURCES/shimaa64.efi +c3c4d0ccdc07c03c20f133f9f65f6f12accea87a SOURCES/shimia32.efi +6436ae30f3f189f70f9043d91ede90058fbeb00a SOURCES/shimx64.efi diff --git a/SOURCES/BOOTAA64.CSV b/SOURCES/BOOTAA64.CSV new file mode 100644 index 0000000000000000000000000000000000000000..2dad06e30e5c8f08d7ba2dd1a6bdfe2a05065d4d GIT binary patch literal 184 zcmb7-%L#x$5JTVDDz*UeBz7Qp@FX^%xQibAu&bcWt8qJ!FeD^1ndc6SOw4pbK~9Fn z$w_IX1`L&wU0kw=EuKv?5u^>Z)WX53ill-Y;5sd(oUWi|NWHk E0^c+t{{R30 literal 0 HcmV?d00001 diff --git a/SOURCES/BOOTIA32.CSV b/SOURCES/BOOTIA32.CSV new file mode 100644 index 0000000000000000000000000000000000000000..4e658b2f4fc811efe3f482f81efef435dab58626 GIT binary patch literal 184 zcmb7-OAbIl5JcbFDdqrT!5JhLR^kH0Oj!72hJ?$b%nhW|sp_ik>gNuOOw8(zf}9MC z)0EPP4HzmpyRc*tT0EP2B8VGmv4w+E7b$H_3(`N|Xn%}bJ*(JmSc{R=rq?Dv-nm%`6WMbx|ASc7( zG^aFT1BQx@U0AXREuKw15yTC(*utUfRMp0;ApP4L`N!z$Syf+(jVYc>+)4Aozn>Cb DrCcGk literal 0 HcmV?d00001 diff --git a/SOURCES/secureboot.cer b/SOURCES/secureboot.cer new file mode 100644 index 0000000000000000000000000000000000000000..4ff8b79e6736e566dbf39603e0887a53345aa4e4 GIT binary patch literal 839 zcmXqLVs5=#_OQj1C) zic(WD5=-=w^K%X4#CZ)(42%qc(A3<>AWEFq*xbO#zzobaj4}u^)G^S4Sf`BDy5h|A zyv)3GQtWJER6_O@BP#=Q6C*!^K@%evQxhX2!zT5vqmx`?o`(oz{$eeCezR_cLPyl% zHpefqUbuO&%O^nA}y6#9BjM%~U7Q(5kw6_YN1epR)|xb9Elg4_B`%!~|-ixmyz4P=2K zFU!Xw#v&5#_@80Rp3FS`6#W&an$HJBb(91l2O=d+v%~@6}B_2%&Mg` zDvt6_STWb-ZhXD^RgaJz3Cq5o4B43+oEZD&XVQnj{jXOGHfUJJB>qmC?A`ut>Ahpw zdM-|DZzz7Yc^I3-u|J*vqdKqQ`kIF?LJd~2r8XOg&f%Z+Yj((@r{(*;Y?_w8rSDJJ zntk_K74NJ(drfx5hIZaKImf>p{fSPd=}qfHlV8OA-0dHz$M#&#on!XF_3NjY{(Hxy zbKN4k{8NvC{Y9;Yo!51>R!)l5n2-{5CgAUe(k!NLc|1u*B2w==ttY-NzWb+N=75O& zzv2uf{%c3S9%5x`<-dQv`g=w9>l=;D-vz#WO}UeuefPU1`=|Tw9$I=mIi&>vg+x|L literal 0 HcmV?d00001 diff --git a/SOURCES/securebootca.cer b/SOURCES/securebootca.cer new file mode 100644 index 0000000000000000000000000000000000000000..b2354007b9668258683b99a68fa5bdd3067c31b1 GIT binary patch literal 977 zcmXqLVm@oo#I$t*GZP~d6DPykKFO2}lmD>>ylk9WZ60mkc^MhGSs4s`4b=@)*_cCF zn1$tnQd1N>5=#_OQj1C) zic(WD5=-=w^K%X4#CZ)(42%qc(8R>VG)kP;*xbO#zzoWzwslR6O2{5!WMyD(V&rEq zXkz4IYGPz$nC+~vi6EDouC4!V-;tv&JA zN}nf->iaHo2tM8rAb&8=Njdj{a^${=Z?aE)&k<1VH{Q3Wx7jKD-_5CYum4K4d~JV` z`ccOE*<7!m22LI4&u3g0F3h!NN?ysm?c*7~^lIfF3D-Xhnr_&uU!bJ$?ZS8WW+A0- zr9raw{Iep~On)hDAUrqc*pZy>@YoE^;z#ABPp))utMY{K9XOZuN+87Vv97^}gccFK z6&c%&T=rzVyKuJ1S>c?Rq?77kYS zv==`X%}MC|0a-81!fL?G$oL;QPJxLO7^jR3 zp{b9(0{X(lQ;+K%h_CKtxc%nd+9kH!CBia&JkgcqO9LvF9(I1~^2+p(_fBqs&+@+g zjZG)^b(y8?lr#NV`RkoR|I-BpaSiJiPBV7drX0Bbe!0fPB95K&)ygj1YM5%bK;(6L z=7Y@r2hM%A`uyr;o|A^(c{icYtu_B=WuE^MZ_<i|1QMhsQHT z4}wg*#%C!d<*ePQAKPyWoS|9R;jPUx*P-5Ksuo_~6c3tyKHzf+y+r*{_;vOAw> zmv4Wk&h*1hGe;ze)#t#BH;PsH)$e|FOmna8+@9jW!^ymRMf{q+C84h)mppfN*sxn6 NnfI|Q%N6m!6aeL$dME$@ literal 0 HcmV?d00001 diff --git a/SOURCES/shim.rpmmacros b/SOURCES/shim.rpmmacros new file mode 100644 index 0000000..c83519c --- /dev/null +++ b/SOURCES/shim.rpmmacros @@ -0,0 +1,171 @@ +%global debug_package %{nil} +%global __brp_mangle_shebangs_exclude_from_file %{expand:%{_builddir}/shim-%{efi_arch}-%{version}-%{release}.%{_target_cpu}-shebangs.txt} +%global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}} +%global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}} + +%global bootcsvaa64 %{expand:%{SOURCE10}} +%global bootcsvia32 %{expand:%{SOURCE11}} +%global bootcsvx64 %{expand:%{SOURCE12}} +#%%global bootcsvarm %%{expand:%%{SOURCE13}} + +%global shimefiaa64 %{expand:%{SOURCE20}} +%global shimefiia32 %{expand:%{SOURCE21}} +%global shimefix64 %{expand:%{SOURCE22}} +#%%global shimefiarm %%{expand:%%{SOURCE23} + +%global shimveraa64 15-4.el8 +%global shimveria32 15-2.el8 +%global shimverx64 15-2.el8 +#%%global shimverarm 15-1.el8 + +%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64 +%global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32 +%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64 +#%%global shimdirarm %%{_datadir}/shim/%%{shimverarm}/arm + +%global unsignedaa64 shim-unsigned-aarch64 +%global unsignedia32 shim-unsigned-ia32 +%global unsignedx64 shim-unsigned-x64 +#%%global unsignedarm shim-unsigned-arm + +%global bootcsv %{expand:%{bootcsv%{efi_arch}}} +%global bootcsvalt %{expand:%{bootcsv%{?efi_alt_arch}}} +%global shimefi %{expand:%{shimefi%{efi_arch}}} +%global shimefialt %{expand:%{shimefi%{?efi_alt_arch}}} +%global shimver %{expand:%{shimver%{efi_arch}}} +%global shimveralt %{expand:%{shimver%{?efi_alt_arch}}} +%global shimdir %{expand:%{shimdir%{efi_arch}}} +%global shimdiralt %{expand:%{shimdir%{?efi_alt_arch}}} + +%global unsignednone shim-unsigned-none +%global unsigned %{expand:%%{unsigned%{efi_arch}}} +%global unsignedalt %{expand:%%{unsigned%{efi_alt_arch}}} + +%define define_pkg(a:p:) \ +%{expand:%%package -n shim-%{-a*}} \ +Summary: First-stage UEFI bootloader \ +Requires: mokutil >= 1:0.3.0-1 \ +Requires: efi-filesystem \ +Provides: shim-signed-%{-a*} = %{version}-%{release} \ +Requires: dbxtool >= 0.6-3 \ +%{expand:%%if 0%%{-p*} \ +Provides: shim = %{version}-%{release} \ +Provides: shim-signed = %{version}-%{release} \ +Obsoletes: shim-signed < %{version}-%{release} \ +Obsoletes: shim < %{version}-%{release} \ +%%endif} \ +# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI \ +# is not compatible with SysV (there's no red zone under UEFI) and \ +# there isn't a POSIX-style C library. \ +# BuildRequires: OpenSSL \ +Provides: bundled(openssl) = 1.0.2j \ + \ +%{expand:%%description -n shim-%{-a*}} \ +Initial UEFI bootloader that handles chaining to a trusted full \ +bootloader under secure boot environments. This package contains the \ +version signed by the UEFI signing service. \ +%{nil} + +# -a +# -i +%define hash(a:i:d:) \ + pesign -i %{-i*} -h -P > shim.hash \ + read file0 hash0 < shim.hash \ + read file1 hash1 < %{-d*}/shim%{-a*}.hash \ + if ! [ "$hash0" = "$hash1" ]; then \ + echo Invalid signature\! > /dev/stderr \ + echo $hash0 vs $hash1 \ + exit 1 \ + fi \ + %{nil} + +# -i +# -o +%define sign(i:o:n:a:c:) \ + %{expand:%%pesign -s -i %{-i*} -o %{-o*} %{-n} %{-n*} %{-a} %{-a*} %{-c} %{-c*}} \ + %{nil} + +# -b +# -a +# -i +%define distrosign(b:a:d:) \ + cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi \ + %{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n redhatsecureboot301 -a %{SOURCE2} -c %{SOURCE1} }\ + %{nil} + +# -a +# -A +# -b <1|0> # signed by this builder? +# -c <1|0> # signed by UEFI CA? +# -i +%define define_build(a:A:b:c:i:d:) \ +if [ "%{-c*}" = "yes-temporarily-disabled-20180723" ]; then \ + %{expand:%%hash -i %{-i*} -a %{-a*} -d %{-d*}} \ +fi \ +cp %{-i*} shim%{-a*}.efi \ +if [ "%{-b*}" = "yes" ]; then \ + %{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}} \ + mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi \ +fi \ +if [ "%{-c*}" = "no" ]; then \ + cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi \ +fi \ +%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}} \ +mv mm%{-a*}-signed.efi mm%{-a*}.efi \ +%{expand:%%distrosign -b fb -a %{-a*} -d %{-d*}} \ +mv fb%{-a*}-signed.efi fb%{-a*}.efi \ +rm -vf \\\ + mm%{-a*}-unsigned.efi \\\ + fb%{-a*}-unsigned.efi \\\ + shim%{-a*}-unsigned.efi \ +%{nil} + +# -a +# -A +# -b +%define do_install(a:A:b:) \ +install -m 0700 shim%{-a*}.efi \\\ + $RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}.efi \ +install -m 0700 shim%{-a*}-%{efi_vendor}.efi \\\ + $RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}-%{efi_vendor}.efi \ +install -m 0700 mm%{-a*}.efi \\\ + $RPM_BUILD_ROOT%{efi_esp_dir}/mm%{-a*}.efi \ +install -m 0700 %{-b*} \\\ + $RPM_BUILD_ROOT%{efi_esp_dir}/BOOT%{-A*}.CSV \ +install -m 0700 shim%{-a*}.efi \\\ + $RPM_BUILD_ROOT%{efi_esp_boot}/BOOT%{-A*}.EFI \ +install -m 0700 fb%{-a*}.efi \\\ + $RPM_BUILD_ROOT%{efi_esp_boot}/fb%{-a*}.efi \ +%nil + +# -a +# -A +%define define_files(a:A:) \ +%{expand:%%files -n shim-%{-a*}} \ +%{efi_esp_dir}/*%{-a*}*.efi \ +%{efi_esp_dir}/BOOT%{-A*}.CSV \ +%{efi_esp_boot}/*%{-a*}.efi \ +%{efi_esp_boot}/*%{-A*}.EFI \ +%{nil} + +%ifarch x86_64 +%global is_signed yes +%global is_alt_signed yes +%global provide_legacy_shim 1 +%endif +%ifarch aarch64 +%global is_signed no +%global is_alt_signed no +%global provide_legacy_shim 1 +%endif +%ifnarch x86_64 aarch64 +%global is_signed no +%global is_alt_signed no +%global provide_legacy_shim 0 +%endif + +%if ! 0%{?vendor:1} +%global vendor nopenopenope +%endif + +# vim:filetype=rpmmacros diff --git a/SPECS/shim.spec b/SPECS/shim.spec new file mode 100644 index 0000000..8afb18f --- /dev/null +++ b/SPECS/shim.spec @@ -0,0 +1,146 @@ +# this is to make us only expand %%{dist} if we're on a modularity build. +# it's 2 macros make vim's \c not put a brace at the end of the changelog. +%global _dist %{expand:%{?_module_build:%%{?dist}}} +%global dist %{expand:%%{_dist}} + +Name: shim +Version: 15 +Release: 11%{?dist} +Summary: First-stage UEFI bootloader +License: BSD +URL: https://github.com/rhboot/shim/ +BuildRequires: efi-filesystem +BuildRequires: efi-srpm-macros >= 3-2 + +ExclusiveArch: %{efi} +# but we don't build a .i686 package, just a shim-ia32.x86_64 package +ExcludeArch: %{ix86} +# and we don't have shim-unsigned-arm builds *yet* +ExcludeArch: %{arm} + +Source0: shim.rpmmacros +Source1: secureboot.cer +Source2: securebootca.cer + +# keep these two lists of sources synched up arch-wise. That is 0 and 10 +# match, 1 and 11 match, ... +Source10: BOOTAA64.CSV +Source20: shimaa64.efi +Source11: BOOTIA32.CSV +Source21: shimia32.efi +Source12: BOOTX64.CSV +Source22: shimx64.efi +#Source13: BOOTARM.CSV +#Source23: shimarm.efi + +%include %{SOURCE0} + +BuildRequires: pesign >= 0.112-20.fc27 +# We need this because %%{efi} won't expand before choosing where to make +# the src.rpm in koji, and we could be on a non-efi architecture, in which +# case we won't have a valid expansion here... To be solved in the future +# (shim 16+) by making the unsigned packages all provide "shim-unsigned", so +# we can just BuildRequires that. +%ifarch x86_64 +BuildRequires: %{unsignedx64} = %{shimverx64} +BuildRequires: %{unsignedia32} = %{shimveria32} +%endif +%ifarch aarch64 +BuildRequires: %{unsignedaa64} = %{shimveraa64} +%endif +#%%ifarch arm +#BuildRequires: %%{unsignedarm} = %%{shimverarm} +#%%endif + +%description +Initial UEFI bootloader that handles chaining to a trusted full bootloader +under secure boot environments. This package contains the version signed by +the UEFI signing service. + +%define_pkg -a %{efi_arch} -p 1 +%if %{efi_has_alt_arch} +%define_pkg -a %{efi_alt_arch} +%endif + +%prep +cd %{_builddir} +rm -rf shim-%{version} +mkdir shim-%{version} + +%build + +cd shim-%{version} +%if %{efi_has_alt_arch} +%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{shimdiralt} +%endif +%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{shimdir} + +%install +rm -rf $RPM_BUILD_ROOT +cd shim-%{version} +install -D -d -m 0755 $RPM_BUILD_ROOT/boot/ +install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_root}/ +install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_efi}/ +install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_dir}/ +install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_boot}/ + +%do_install -a %{efi_arch} -A %{efi_arch_upper} -b %{bootcsv} +%if %{efi_has_alt_arch} +%do_install -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -b %{bootcsvalt} +%endif + +%if %{provide_legacy_shim} +install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi +%endif + +( cd $RPM_BUILD_ROOT ; find .%{efi_esp_root} -type f ) \ + | sed -e 's/\./\^/' -e 's,^\\\./,.*/,' -e 's,$,$,' > %{__brp_mangle_shebangs_exclude_from_file} + +%define_files -a %{efi_arch} -A %{efi_arch_upper} +%if %{efi_has_alt_arch} +%define_files -a %{efi_alt_arch} -A %{efi_alt_arch_upper} +%endif + +%if %{provide_legacy_shim} +%{efi_esp_dir}/shim.efi +%endif + +%changelog +* Fri Jun 07 2019 Javier Martinez Canillas - 15-11 +- Update the shim-unsigned-aarch64 version number + Related: rhbz#1715879 + +* Fri Jun 07 2019 Javier Martinez Canillas - 15-10 +- Add a gating.yaml file so the package can be properly gated + Related: rhbz#1681809 + +* Wed Jun 05 2019 Javier Martinez Canillas - 15-9 +- Bump the NVR + Related: rhbz#1715879 + +* Wed Jun 05 2019 Javier Martinez Canillas - 15-7 +- Make EFI variable copying fatal only on secureboot enabled systems + Resolves: rhbz#1715879 +- Fix booting shim from an EFI shell using a relative path + Resolves: rhbz#1717061 + +* Thu Mar 14 2019 Peter Jones - 15-6 +- Fix MoK mirroring issue which breaks kdump without intervention + Resolves: rhbz#1668966 + +* Thu Jan 24 2019 Peter Jones - 15-5 +- Rebuild for signing once again. If the signer actually works, then: + Resolves: rhbz#1620941 + +* Tue Oct 16 2018 Peter Jones - 15-4 +- Rebuild for signing + Resolves: rhbz#1620941 + +* Mon Aug 13 2018 Troy Dawson +- Release Bumped for el8 Mass Rebuild + +* Sat Aug 11 2018 Troy Dawson +- Release Bumped for el8+8 Mass Rebuild + +* Mon Jul 23 2018 Peter Jones - 15-1 +- Build for RHEL 8