First build for Centos Stream 10

Resolves: #RHEL-45014
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>

.gitignore

@@ -0,0 +1,8 @@
+/shimx64.efi
+/fbx64.efi
+/mmx64.efi
+/BOOTX64.CSV
+/BOOTAA64.CSV
+/fbaa64.efi
+/mmaa64.efi
+/shimaa64.efi

shim.conf

@@ -0,0 +1,4 @@
+shim-aa64
+shim-arm
+shim-ia32
+shim-x64

shim.rpmmacros

@@ -0,0 +1,201 @@
+%global debug_package %{nil}
+%global __brp_mangle_shebangs_exclude_from_file %{expand:%{_builddir}/shim-%{efi_arch}-%{version}-%{release}.%{_target_cpu}-shebangs.txt}
+%global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
+%global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
+
+%global grub_version 2.12-1.el10_0
+
+%global bootcsvaa64 %{expand:%{SOURCE10}}
+%global bootcsvx64 %{expand:%{SOURCE12}}
+#%%global bootcsvarm %%{expand:%%{SOURCE13}}
+
+%global shimefiaa64 %{expand:%{SOURCE20}}
+%global shimefix64 %{expand:%{SOURCE22}}
+#%%global shimefiarm %%{expand:%%{SOURCE23}
+
+%global fbefiaa64 %{expand:%{SOURCE30}}
+%global fbefix64 %{expand:%{SOURCE32}}
+#%%global fbefiarm %%{expand:%%{SOURCE33}
+
+%global mmefiaa64 %{expand:%{SOURCE40}}
+%global mmefix64 %{expand:%{SOURCE42}}
+#%%global mmefiarm %%{expand:%%{SOURCE43}
+
+%global shimveraa64 15.8-2.el9
+%global shimverx64 15.8-2.el9
+#%%global shimverarm 15-1.el8
+
+%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
+%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64
+#%%global shimdirarm %%{_datadir}/shim/%%{shimverarm}/arm
+
+%global unsignedaa64 shim-unsigned-aarch64
+%global unsignedx64 shim-unsigned-x64
+#%%global unsignedarm shim-unsigned-arm
+
+%global bootcsv %{expand:%{bootcsv%{efi_arch}}}
+%global bootcsvalt %{expand:%{bootcsv%{?efi_alt_arch}}}
+%global shimefi %{expand:%{shimefi%{efi_arch}}}
+%global shimefialt %{expand:%{shimefi%{?efi_alt_arch}}}
+%global shimver %{expand:%{shimver%{efi_arch}}}
+%global shimveralt %{expand:%{shimver%{?efi_alt_arch}}}
+%global shimdir %{expand:%{shimdir%{efi_arch}}}
+%global shimdiralt %{expand:%{shimdir%{?efi_alt_arch}}}
+%global fbefi %{expand:%{fbefi%{efi_arch}}}
+%global fbefialt %{expand:%{fbefi%{?efi_alt_arch}}}
+%global mmefi %{expand:%{mmefi%{efi_arch}}}
+%global mmefialt %{expand:%{mmefi%{?efi_alt_arch}}}
+
+%global unsignednone shim-unsigned-none
+%global unsigned %{expand:%%{unsigned%{efi_arch}}}
+%global unsignedalt %{expand:%%{unsigned%{efi_alt_arch}}}
+
+%define define_pkg(a:p:)						\
+%{expand:%%package -n shim-%{-a*}}					\
+Summary: First-stage UEFI bootloader					\
+Requires: mokutil >= 1:0.3.0-1						\
+Requires: efi-filesystem						\
+Provides: shim-signed-%{-a*} = %{version}-%{release}			\
+Requires: dbxtool >= 0.6-3						\
+Conflicts: grub2-efi-%{-a*} < %{grub_version}				\
+%{expand:%%if 0%%{-p*}							\
+Provides: shim = %{version}-%{release}					\
+Provides: shim-signed = %{version}-%{release}				\
+Obsoletes: shim-signed < %{version}-%{release}				\
+Obsoletes: shim < %{version}-%{release}					\
+%%endif}								\
+# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI	\
+# is not compatible with SysV (there's no red zone under UEFI) and	\
+# there isn't a POSIX-style C library.					\
+# BuildRequires: OpenSSL						\
+Provides: bundled(openssl) = 1.0.2j					\
+									\
+%{expand:%%description -n shim-%{-a*}}					\
+Initial UEFI bootloader that handles chaining to a trusted full		\
+bootloader under secure boot environments. This package contains the	\
+version signed by the UEFI signing service.				\
+%{nil}
+
+# -a <efiarch>
+# -i <input>
+%define hash(a:i:d:)								\
+	if [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then	\
+		pesign -i %{-i*} -h -P > shim.hash				\
+		read file0 hash0 < shim.hash					\
+		read file1 hash1 < %{-d*}/shim%{-a*}.hash			\
+		if ! [ "$hash0" = "$hash1" ] ; then				\
+			echo Invalid signature\! > /dev/stderr			\
+			echo $hash0 vs $hash1					\
+			exit 1							\
+		fi								\
+	fi									\
+	%{nil}
+
+# -i <input>
+# -o <output>
+%define sign(i:o:n:a:c:)									\
+	%{expand:%%pesign -s -i %{-i*} -o %{-o*} %{-n} %{-n*} %{-a} %{-a*} %{-c} %{-c*}}	\
+	%{nil}
+
+# -b <binary prefix>
+# -a <efiarch>
+# -i <input>
+%define distrosign(b:a:d:)							\
+	if [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then	\
+		if [ "%{-b*}%{-a*}" = "shim%{efi_arch}" ] ; then		\
+			cp -av "%{shimefi}" %{-b*}%{-a*}-unsigned.efi		\
+		elif [ "%{-b*}%{-a*}" = "shim%{efi_alt_arch}" ] ; then		\
+			cp -av "%{shimefialt}" %{-b*}%{-a*}-unsigned.efi	\
+		elif [ "%{-b*}%{-a*}" = "mm%{efi_arch}" ] ; then		\
+			cp -av "%{mmefi}" %{-b*}%{-a*}-unsigned.efi		\
+		elif [ "%{-b*}%{-a*}" = "mm%{efi_alt_arch}" ] ; then		\
+			cp -av "%{mmefialt}" %{-b*}%{-a*}-unsigned.efi		\
+		elif [ "%{-b*}%{-a*}" = "fb%{efi_arch}" ] ; then		\
+			cp -av "%{fbefi}" %{-b*}%{-a*}-unsigned.efi		\
+		elif [ "%{-b*}%{-a*}" = "fb%{efi_alt_arch}" ] ; then		\
+			cp -av "%{fbefialt}" %{-b*}%{-a*}-unsigned.efi		\
+		fi								\
+	else									\
+		cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi	\
+	fi									\
+	%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n centossecureboot201 -a %{SOURCE2} -c %{SOURCE1} } \
+	%{nil}
+
+# -a <efiarch>
+# -A <EFIARCH>
+# -b <1|0> # signed by this builder?
+# -c <1|0> # signed by UEFI CA?
+# -i <shimARCH.efi>
+# -d /usr/share dir for this build (full path)
+%define define_build(a:A:b:c:i:d:)					\
+if [ "%{-c*}" = "yes-temporarily-disabled-20180723" ]; then		\
+	%{expand:%%hash -i %{-i*} -a %{-a*} -d %{-d*}}			\
+fi									\
+cp %{-i*} shim%{-a*}.efi						\
+if [ "%{-b*}" = "yes" ] ; then						\
+	%{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}}		\
+	mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi		\
+fi									\
+if [ "%{-c*}" = "no" ] ||						\
+   [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then	\
+	cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi			\
+fi									\
+%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}}			\
+mv mm%{-a*}-signed.efi mm%{-a*}.efi					\
+%{expand:%%distrosign -b fb -a %{-a*} -d %{-d*}}			\
+mv fb%{-a*}-signed.efi fb%{-a*}.efi					\
+rm -vf									\\\
+	mm%{-a*}-unsigned.efi						\\\
+	fb%{-a*}-unsigned.efi						\\\
+	shim%{-a*}-unsigned.efi						\
+%{nil}
+
+# -a <efiarch>
+# -A <EFIARCH>
+# -b <BOOTCSV>
+%define do_install(a:A:b:)						\
+install -m 0700 shim%{-a*}.efi						\\\
+	$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}.efi			\
+install -m 0700 shim%{-a*}-%{efi_vendor}.efi				\\\
+	$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}-%{efi_vendor}.efi	\
+install -m 0700 mm%{-a*}.efi						\\\
+	$RPM_BUILD_ROOT%{efi_esp_dir}/mm%{-a*}.efi			\
+install -m 0700 %{-b*}							\\\
+	$RPM_BUILD_ROOT%{efi_esp_dir}/BOOT%{-A*}.CSV			\
+install -m 0700 shim%{-a*}.efi						\\\
+	$RPM_BUILD_ROOT%{efi_esp_boot}/BOOT%{-A*}.EFI			\
+install -m 0700 fb%{-a*}.efi						\\\
+	$RPM_BUILD_ROOT%{efi_esp_boot}/fb%{-a*}.efi			\
+%nil
+
+# -a <efiarch>
+# -A <EFIARCH>
+%define define_files(a:A:)						\
+%{expand:%%files -n shim-%{-a*}}					\
+%%verify(not mtime) %{efi_esp_dir}/*%{-a*}*.efi				\
+%%verify(not mtime) %{efi_esp_dir}/BOOT%{-A*}.CSV			\
+%%verify(not mtime) %{efi_esp_boot}/*%{-a*}.efi				\
+%%verify(not mtime) %{efi_esp_boot}/*%{-A*}.EFI				\
+%{nil}
+
+%ifarch x86_64
+%global is_signed yes
+%global is_alt_signed no
+%global provide_legacy_shim 1
+%endif
+%ifarch aarch64
+%global is_signed no
+%global is_alt_signed no
+%global provide_legacy_shim 1
+%endif
+%ifnarch x86_64 aarch64
+%global is_signed no
+%global is_alt_signed no
+%global provide_legacy_shim 0
+%endif
+
+%if ! 0%{?vendor:1}
+%global vendor nopenopenope
+%endif
+
+# vim:filetype=rpmmacros

shim.spec

@@ -0,0 +1,114 @@
+Name:		shim
+Version:	15.8
+Release:	5%{?dist}
+Summary:	First-stage UEFI bootloader
+License:	BSD
+URL:		https://github.com/rhboot/shim/
+BuildRequires:	efi-filesystem
+BuildRequires:	efi-srpm-macros >= 6
+
+ExclusiveArch:	%{efi}
+# and we don't have shim-unsigned-arm builds *yet*
+ExcludeArch:	%{arm} %{ix86}
+
+Source0:	shim.rpmmacros
+Source1:	centossecureboot201.cer
+Source2:	centossecurebootca2.cer
+Source5:	shim.conf
+
+# keep these two lists of sources synched up arch-wise.  That is 0 and 10
+# match, 1 and 11 match, ...
+Source10:	BOOTAA64.CSV
+Source20:	shimaa64.efi
+Source30:	mmaa64.efi
+Source40:	fbaa64.efi
+Source12:	BOOTX64.CSV
+Source22:	shimx64.efi
+Source32:	mmx64.efi
+Source42:	fbx64.efi
+#Source13:	BOOTARM.CSV
+#Source23:	shimarm.efi
+#Source33:	mmarm.efi
+#Source43:	fbarm.efi
+
+%include %{SOURCE0}
+
+BuildRequires:	pesign >= 0.112-20.fc27
+# Right now we're just including all of the parts from them as sources here
+# to make the build+errata process less maddening.  We do this because
+# %%{efi} won't expand before choosing where to make the src.rpm in koji,
+# and we could be on a non-efi architecture, in which case we won't have a
+# valid expansion here...
+#%% ifarch x86_64
+#BuildRequires:	%% {unsignedx64} = %% {shimverx64}
+#%% endif
+#%% ifarch aarch64
+#BuildRequires:	%% {unsignedaa64} = %% {shimveraa64}
+#%% endif
+#%%ifarch arm
+#BuildRequires:	%%{unsignedarm} = %%{shimverarm}
+#%%endif
+
+%description
+Initial UEFI bootloader that handles chaining to a trusted full bootloader
+under secure boot environments. This package contains the version signed by
+the UEFI signing service.
+
+%define_pkg -a %{efi_arch} -p 1
+%if %{efi_has_alt_arch}
+%define_pkg -a %{efi_alt_arch}
+%endif
+
+%prep
+cd %{_builddir}
+rm -rf shim-%{version}
+mkdir shim-%{version}
+
+%build
+export PS4='${LINENO}: '
+
+cd shim-%{version}
+%if %{efi_has_alt_arch}
+%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{shimdiralt}
+%endif
+# Temporarily using _sourcedir to avoid build dep annoyances.
+%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{_sourcedir}
+
+%install
+rm -rf $RPM_BUILD_ROOT
+cd shim-%{version}
+install -D -d -m 0755 $RPM_BUILD_ROOT/boot/
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_root}/
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_efi}/
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_dir}/
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_boot}/
+
+%do_install -a %{efi_arch} -A %{efi_arch_upper} -b %{bootcsv}
+%if %{efi_has_alt_arch}
+%do_install -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -b %{bootcsvalt}
+%endif
+
+%if %{provide_legacy_shim}
+install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
+%endif
+install -D -d -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/
+install -m 0644 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/
+
+( cd $RPM_BUILD_ROOT ; find .%{efi_esp_root} -type f ) \
+  | sed -e 's/\./\^/' -e 's,^\\\./,.*/,' -e 's,$,$,' > %{__brp_mangle_shebangs_exclude_from_file}
+
+%define_files -a %{efi_arch} -A %{efi_arch_upper}
+%if %{efi_has_alt_arch}
+%define_files -a %{efi_alt_arch} -A %{efi_alt_arch_upper}
+%endif
+%{_sysconfdir}/dnf/protected.d/shim.conf
+
+%if %{provide_legacy_shim}
+%verify(not mtime) %{efi_esp_dir}/shim.efi
+%endif
+
+%changelog
+* Wed Jul 2 2025 Nicolas Frayer <nfrayer@redhat.com> - 15.8-5
+- First build for Centos Stream 10
+- Resolves: #RHEL-45014
+

sources

@@ -0,0 +1,8 @@
+SHA512 (shimx64.efi) = b4dc7ff94feec631d63e496b72d9ea333179204407ba91399d7c5e2c762172a3ab91001604727641ac5b0eaf79fa350d981b05c101c523897987e12b494b03cd
+SHA512 (fbx64.efi) = 1bbf117734d042d92e331a9e619b0f48a7da1016c5fbc3ec5461247e9bb599df200b98ad9ffe82300550f884e8e3b2457763c7f3fd9cf142fbef76aa3b10d0a5
+SHA512 (mmx64.efi) = caabd963f6a8a05bbb48f0298c683d1f97d3fe4bc68eee4521b2e8bc2c5cdb6ef405b7188031b8ff250b7a1ddafbdc5da241ac30545bfabca42ee2bc45507499
+SHA512 (BOOTX64.CSV) = 16936301ec1b098022aac2428d31a4849a585e047493a64916427a235287b8d81bc285b0371a270e77ed476b71c741b8d7e7158986b167c3d6bb982705764e16
+SHA512 (BOOTAA64.CSV) = 1c1bac8c2627b704e8b091d2e0c81d55a8bd7420450fe429e20efe8830fa377fdf48c51c2e658e3d0ecee491845bf5cc696ba848669dc26d23687ed5fe5efa76
+SHA512 (fbaa64.efi) = 5816080369a5fa47bed503b1fad4c31d35c88be2fc2a3c513c6bae7159bc95d989dfe3cb773fd6a452360040b6035689179bf29c5d68cc912d7272c7472c7d5d
+SHA512 (mmaa64.efi) = c422b693831aee23bdf4224a6996edad9c6a91ebc66eeb9bc1bc5d98942a963fad2db077d0804d2b3382b483c7d39a0fb37987214810b4e14d193a97c3c2debe
+SHA512 (shimaa64.efi) = 8ded3a96b6b02afb39e5df829913c1536afb1e711239f5f58620d4dec622a722725cdd8764830da0a93acce7f9741f6e9235a67254da12e240dc3ff032c536fb