From 68d9b1a40d41d621213e7b2a6c438e9aad14772c Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 29 Mar 2023 12:37:04 +0300 Subject: [PATCH] - Use AlmaLinux cert --- .shim.metadata | 6 +++--- SOURCES/BOOTAA64.CSV | Bin 184 -> 124 bytes SOURCES/BOOTIA32.CSV | Bin 184 -> 124 bytes SOURCES/BOOTX64.CSV | Bin 182 -> 122 bytes SOURCES/almalinuxsecurebootca0.cer | Bin 0 -> 1787 bytes SOURCES/redhatsecureboot501.cer | Bin 964 -> 0 bytes SOURCES/redhatsecurebootca5.cer | Bin 920 -> 0 bytes SOURCES/shim.rpmmacros | 12 +++++++++--- SPECS/shim.spec | 15 ++++++++++++--- 9 files changed, 24 insertions(+), 9 deletions(-) create mode 100644 SOURCES/almalinuxsecurebootca0.cer delete mode 100644 SOURCES/redhatsecureboot501.cer delete mode 100644 SOURCES/redhatsecurebootca5.cer diff --git a/.shim.metadata b/.shim.metadata index 0cbbf98..59c4fc9 100644 --- a/.shim.metadata +++ b/.shim.metadata @@ -1,3 +1,3 @@ -8ab193ad7addd71e4a820081f36d47e5ef727d28 SOURCES/shimaa64.efi -c04dd5db5d91e8d1f597f2bfd878f55eba05a125 SOURCES/shimia32.efi -9a08a40a69ba8ad6292a19aca367d819e875d789 SOURCES/shimx64.efi +8f61bdc72cf582e2fdf094eac3bd911464857d89 SOURCES/shimaa64.efi +cf0dc84373d0036f0420255baaa5a3b4760563ed SOURCES/shimia32.efi +5957bbccac9f22c1738039679204be0bb57c3812 SOURCES/shimx64.efi diff --git a/SOURCES/BOOTAA64.CSV b/SOURCES/BOOTAA64.CSV index 2dad06e30e5c8f08d7ba2dd1a6bdfe2a05065d4d..3ef9ab912bd5e9e68661f89ee324b147d9282064 100644 GIT binary patch delta 37 ncmdnNSTjL}-H{=OA(tU>qNA$_l*!=3kjaq8P|8rjz{LOnup0;@ delta 97 zcmb=~!8k!iHHaaVA%#JK!Gj@@p#(^~GUNg2RE8pk0wB(0CCMvrc5v7p92dE{F Lp_HM5fr|kE$VC#q diff --git a/SOURCES/BOOTIA32.CSV b/SOURCES/BOOTIA32.CSV index 4e658b2f4fc811efe3f482f81efef435dab58626..a45da43844da52778badecb23ca75128fa8b98b6 100644 GIT binary patch delta 37 ncmdnNSTjL}-H{=OA(tU>qNA$_l*!=3kjaq8P|8rjz{LOnup0;@ delta 97 zcmb=~!8k!iHHaaVA%#JK!Gj@@p#(^~GUNg2RE8pk0wB(0CCMvrc5v7p92dE{F Lp_HM5fr|kE$VC#q diff --git a/SOURCES/BOOTX64.CSV b/SOURCES/BOOTX64.CSV index 7692a93c84b493eba48422b79eb9186fad5d0a34..38a9ef0a67ed2de1e037a1e119941ec1fb374836 100644 GIT binary patch delta 37 ncmdnSST#Y4-H{=OA(tU>qP?pKl*!=3kjaq8P|8rjz{LOnuNw#) delta 97 zcmb>0#yCMrHHaaVA%#JK!Gj@@p#(^~GUNg2RE8pk0wB(0CCMvob5v7p92dE{F Lp_HM5fr|kE#h((k diff --git a/SOURCES/almalinuxsecurebootca0.cer b/SOURCES/almalinuxsecurebootca0.cer new file mode 100644 index 0000000000000000000000000000000000000000..6a4e99b9ed921c4af3db55a619260f1ab76110dc GIT binary patch literal 1787 zcmb7Edpy%?9NzEu+YQ4qp+X~z$hNhS)Qi`TME^-dksg&-Xq2Cz{bpoK?*v3Lr+#1l0EMjD_^(GTMD zB!UPL)n5=TknqD$I+(55K`6BGoxr#aQ34*7AqwMDg9H&mfiQx~@Sw6ns4M2o1LnrM zj*bAGgM!g7R1KZf5ID|pa&dAA1xdG2GSJgV;wS_sr+Fwqoly#ygx9gdLs&@Wya0v} z3LG4SP65Uf7hwvK$&cd3bH#kr3{2A~=u->>#eywd37;Auj^GLf30#RlB%EMPEi-l+ zkwox{5{U(2T$BpTN6nIqJ))wy{sLj#R%$>H)k_p74EruH#z6j)0c5b{#3zMt7(@o^ zW7O-~undMU6>I1J?%P(;)EDTd~@7#vAD%qZ-ufkhh?j~ zapii8FZ6l4l2j4>$6Kvd%=FCfQ#Hi8bqZPzauDLVg0k(jF6nNqtfiz|Wxur8bX2ad zdVcV5sacnCY_nO@_S&kodX}Gu=_h9qjw-&C&Q?YW8|~hwL@-lYMZxo*mT|n_rq!Dq zNO?Kr*Z&ajuCl*+CptA}bH}3+sZUn7lNIOqU@O10Y8v~wWKcZqMh{nDsrrHAqC?Fn zC5Od?^TaPN9vZwE>ENKiT9WIkzve%`+%Pg-+wtWhW?EoI?ykMo1m;;krtqoqrdY(Z z>AG~nTPIVAdtr9e$os^OcI}Pat4B7uw#bZr_Ev0CoO20G4yS!W8C%*eNtWAYpL#d* zedparl{a8zs7XrL79O+)cgO3rRq(Xe?bv+=_YavC&C0sI{5@^Isw>gKnC3h)7Af**$k{YWr>DKj@ce|HuYY$w-4X7busAnE?sO0 z%rpc&tP$2Q5p}pRNtx`QBY$$Hy}hi^EzC7xG%sfQ5Hy0tA}}ElkTi6P2EzaYC>lh= zl7Kdzs16YhM?esDptRPfdPAw7JRwLkg(U+Y4UdZT1n$5IPa2Kec@%;nJOpT9#`r7@ z85u`PBr&nB4i2&3%Ye=kMLRG8g8%`Ki%23t2=LQLO~*2UT1>u3z97|AGoqg0iKFNf zr^ZU-duM1WW2`Y49;^^`UC`BhARRwieNz#L243SBz!P*O|5I1;uO$Gbj#^URPsEFj znJ5J48Yh#m)_^Ae=Lv|2+!#zIQG$c)nJj+~w#N#V{a95^486KX5gC+(`LS(LuYLx& zmK=g#7W3C{btC1qgXHu|&hAt1mVpg9@qz7)LQjirTbE=%tB>VaJ{w|W+SRlqtM=qq z`BZ#(0JZP>i7X28yp;YFwn*+V^|hB(LiOc)PaARBXXK%~jS_tFjUyY$QX;*+r0V45 zkE=pT=tBm1C+#j}43w`s`%TdlzpX-LE<>U=F6|4*<{yn&V-xIkW##-D?u9_i{=os1 zQ~fq=HHqcUdPH1KbNZa$#kq3WF+jPXnVa;%`a)vjg(LknHdCYpovzocJ`VZSGQKX% z9VuvTNmoc+L-8N(4b3q2QAF;sQhj@I*nzv-=TicK8=0_FUZQQx>WuhjaYMX_P|t&zHv TseG#v;Fg#3=RT@0&At3@_pP4Z literal 0 HcmV?d00001 diff --git a/SOURCES/redhatsecureboot501.cer b/SOURCES/redhatsecureboot501.cer deleted file mode 100644 index dfa7afb4699f9da2610ccf889eac6269b4e368ad..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 964 zcmXqLVm@Hd#I#}oGZP~d6DPygP|MB7r^(JW;AP{~YV&CO&dbQi&B|a9ZzyIU!p0oR z!o|ZIl$xU8kyxUm;F*`KXQ*f(4-#kQk${RT1g9pK7NsgU<>!|uI6Eqs8Y&qmz)j<1 z6ca8^O-{^7Eh=#+N=?Z~EYVBO&oz(}=QT1gFf*_;ur#$aF^m%DHMTG?G_-(n4bpHr zK*K-{;sAMU4hYUn&&$k9S1<({MvOa}7?qIy&dAEZ+{DPwV9>?_b=fyaz_nMgbCq_4}%h&s@!! ze1+-H$r$aU3#Wbib#?#k&uh{GYUM6Zj@vtn;gxywxjzdyRhQhFw_E3gr&3h2=~R{1 zj&**wnV1`gIDK=C)Q=HpH6<5w#musUBRX5*FRT%+S?q^ zlC!X|$Tr`#TvsL{aXYvlkoIbiCkx z5_D~Q*@8!%rFvVIJk+SN&YvaV#ohSi!kzD4u!L^;lrQW*W7-1#!tQ%Ev()B&_RmzfDxh^SOyp9_ zQ{CMgMRQYpd7N(ray<%vF*_r`|Ig1qJ?keW%w>8X>p8K%ckRW_k5{=r91h)XDEdQO n!11X)D#7e#1b6^&%9(kLq!95kT^4s1XNrhI5oMnC{@8JKfgr5*-^pNP{}|6ZW6NxP$#b?ru1p1aqn$3D)YB{Qqo zjCvjz?|=HkE#3AN-xTZpws*U~)f@DZ{t~uwMZy8<;F%jD%$u6!n#qYzp^Sryh{C;x9qf@!N=T4ui@b#({ zSD&^p3kNZ=9lAQ9%xdfP9doNToV+k2^LHOFD{5oE&78StJa^8n7$i2k94PWc<&xr*# z`sciS&XK#@>h!OC8{=mczNLHbADCJ+pE=-CsaDOF#s}?5Q)1qq&%R~#cz>QmiAiVx zk5XXYstAL9d+iK-w@u$FESybMIPOFY~9lmn~9nUf%vMc88@((p0B(#qL+!COmt7`j5IhPVzo{cRPw} Pd!}BnFF!b8N6JS4>O*3Z diff --git a/SOURCES/shim.rpmmacros b/SOURCES/shim.rpmmacros index fa7a833..84157d6 100644 --- a/SOURCES/shim.rpmmacros +++ b/SOURCES/shim.rpmmacros @@ -13,9 +13,9 @@ %global shimefix64 %{expand:%{SOURCE22}} #%%global shimefiarm %%{expand:%%{SOURCE23} -%global shimveraa64 15-7.el8_1 -%global shimveria32 15.6-1.el8 -%global shimverx64 15.6-1.el8 +%global shimveraa64 15-7.el8_1.alma.1 +%global shimveria32 15.6-1.el8.alma.1 +%global shimverx64 15.6-1.el8.alma.1 #%%global shimverarm 15-1.el8 %global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64 @@ -48,6 +48,12 @@ Requires: mokutil >= 1:0.3.0-1 \ Requires: efi-filesystem \ Provides: shim-signed-%{-a*} = %{version}-%{release} \ Requires: dbxtool >= 0.6-3 \ +Requires: %{efi_esp_dir}/grub%{-a*}.efi \ +%{expand:%ifarch x86_64 \ +# SecureBoot keys dependencies \ +Requires: almalinux(grub2-sig-key) >= 202303 \ +Requires: almalinux(kernel-sig-key) >= 202303 \ +%endif} \ %{expand:%%if 0%%{-p*} \ Provides: shim = %{version}-%{release} \ Provides: shim-signed = %{version}-%{release} \ diff --git a/SPECS/shim.spec b/SPECS/shim.spec index 4b1439f..429da1d 100644 --- a/SPECS/shim.spec +++ b/SPECS/shim.spec @@ -1,6 +1,10 @@ +%global efi_vendor almalinux +%global efidir almalinux +%global efi_esp_dir /boot/efi/EFI/%{efidir} + Name: shim Version: 15.6 -Release: 1%{?dist} +Release: 1%{?dist}.alma.1 Summary: First-stage UEFI bootloader License: BSD URL: https://github.com/rhboot/shim/ @@ -14,8 +18,7 @@ ExcludeArch: %{ix86} ExcludeArch: %{arm} Source0: shim.rpmmacros -Source1: redhatsecureboot501.cer -Source2: redhatsecurebootca5.cer +Source1: almalinuxsecurebootca0.cer # keep these two lists of sources synched up arch-wise. That is 0 and 10 # match, 1 and 11 match, ... @@ -101,6 +104,12 @@ install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi %endif %changelog +* Mon Feb 27 2023 Eduard Abdullin - 15.6-1.alma.1 +- Use AlmaLinux cert + +* Tue Aug 23 2022 Andrew Lukoshko - 15.6-1.alma +- AlmaLinux changes + * Mon Jun 06 2022 Peter Jones - 15.6-1 - Update to shim-15.6 Resolves: CVE-2022-28737