%global debug_package %{nil} %global __brp_mangle_shebangs_exclude_from_file %{expand:%{_builddir}/shim-%{efi_arch}-%{version}-%{release}.%{_target_cpu}-shebangs.txt} %global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}} %global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}} %global bootcsvaa64 %{expand:%{SOURCE10}} %global bootcsvx64 %{expand:%{SOURCE12}} #%%global bootcsvarm %%{expand:%%{SOURCE13}} %global shimefiaa64 %{expand:%{SOURCE20}} %global shimefix64 %{expand:%{SOURCE22}} #%%global shimefiarm %%{expand:%%{SOURCE23} %global fbefiaa64 %{expand:%{SOURCE30}} %global fbefix64 %{expand:%{SOURCE32}} #%%global fbefiarm %%{expand:%%{SOURCE33} %global mmefiaa64 %{expand:%{SOURCE40}} %global mmefix64 %{expand:%{SOURCE42}} #%%global mmefiarm %%{expand:%%{SOURCE43} %global shimveraa64 15.8-2.el9.alma.1 %global shimverx64 15.8-2.el9.alma.1 #%%global shimverarm 15-1.el8 %global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64 %global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64 #%%global shimdirarm %%{_datadir}/shim/%%{shimverarm}/arm %global unsignedaa64 shim-unsigned-aarch64 %global unsignedx64 shim-unsigned-x64 #%%global unsignedarm shim-unsigned-arm %global bootcsv %{expand:%{bootcsv%{efi_arch}}} %global bootcsvalt %{expand:%{bootcsv%{?efi_alt_arch}}} %global shimefi %{expand:%{shimefi%{efi_arch}}} %global shimefialt %{expand:%{shimefi%{?efi_alt_arch}}} %global shimver %{expand:%{shimver%{efi_arch}}} %global shimveralt %{expand:%{shimver%{?efi_alt_arch}}} %global shimdir %{expand:%{shimdir%{efi_arch}}} %global shimdiralt %{expand:%{shimdir%{?efi_alt_arch}}} %global fbefi %{expand:%{fbefi%{efi_arch}}} %global fbefialt %{expand:%{fbefi%{?efi_alt_arch}}} %global mmefi %{expand:%{mmefi%{efi_arch}}} %global mmefialt %{expand:%{mmefi%{?efi_alt_arch}}} %global unsignednone shim-unsigned-none %global unsigned %{expand:%%{unsigned%{efi_arch}}} %global unsignedalt %{expand:%%{unsigned%{efi_alt_arch}}} %define define_pkg(a:p:) \ %{expand:%%package -n shim-%{-a*}} \ Summary: First-stage UEFI bootloader \ Requires: mokutil >= 1:0.3.0-1 \ Requires: efi-filesystem \ Provides: shim-signed-%{-a*} = %{version}-%{release} \ Requires: dbxtool >= 0.6-3 \ %{expand:%%if 0%%{-p*} \ Provides: shim = %{version}-%{release} \ Provides: shim-signed = %{version}-%{release} \ Obsoletes: shim-signed < %{version}-%{release} \ Obsoletes: shim < %{version}-%{release} \ %%endif} \ # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI \ # is not compatible with SysV (there's no red zone under UEFI) and \ # there isn't a POSIX-style C library. \ # BuildRequires: OpenSSL \ Provides: bundled(openssl) = 1.0.2j \ \ %{expand:%%description -n shim-%{-a*}} \ Initial UEFI bootloader that handles chaining to a trusted full \ bootloader under secure boot environments. This package contains the \ version signed by the UEFI signing service. \ %{nil} # -a # -i %define hash(a:i:d:) \ if [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then \ pesign -i %{-i*} -h -P > shim.hash \ read file0 hash0 < shim.hash \ read file1 hash1 < %{-d*}/shim%{-a*}.hash \ if ! [ "$hash0" = "$hash1" ] ; then \ echo Invalid signature\! > /dev/stderr \ echo $hash0 vs $hash1 \ exit 1 \ fi \ fi \ %{nil} # -i # -o %define sign(i:o:n:a:c:) \ %{expand:%%pesign -s -i %{-i*} -o %{-o*} %{-n} %{-n*} %{-a} %{-a*} %{-c} %{-c*}} \ %{nil} # -b # -a # -i %define distrosign(b:a:d:) \ if [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then \ if [ "%{-b*}%{-a*}" = "shim%{efi_arch}" ] ; then \ cp -av "%{shimefi}" %{-b*}%{-a*}-unsigned.efi \ elif [ "%{-b*}%{-a*}" = "shim%{efi_alt_arch}" ] ; then \ cp -av "%{shimefialt}" %{-b*}%{-a*}-unsigned.efi \ elif [ "%{-b*}%{-a*}" = "mm%{efi_arch}" ] ; then \ cp -av "%{mmefi}" %{-b*}%{-a*}-unsigned.efi \ elif [ "%{-b*}%{-a*}" = "mm%{efi_alt_arch}" ] ; then \ cp -av "%{mmefialt}" %{-b*}%{-a*}-unsigned.efi \ elif [ "%{-b*}%{-a*}" = "fb%{efi_arch}" ] ; then \ cp -av "%{fbefi}" %{-b*}%{-a*}-unsigned.efi \ elif [ "%{-b*}%{-a*}" = "fb%{efi_alt_arch}" ] ; then \ cp -av "%{fbefialt}" %{-b*}%{-a*}-unsigned.efi \ fi \ else \ cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi \ fi \ %{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n redhatsecureboot501 -a %{SOURCE2} -c %{SOURCE1} } \ %{nil} # -a # -A # -b <1|0> # signed by this builder? # -c <1|0> # signed by UEFI CA? # -i # -d /usr/share dir for this build (full path) %define define_build(a:A:b:c:i:d:) \ if [ "%{-c*}" = "yes-temporarily-disabled-20180723" ]; then \ %{expand:%%hash -i %{-i*} -a %{-a*} -d %{-d*}} \ fi \ cp %{-i*} shim%{-a*}.efi \ if [ "%{-b*}" = "yes" ] ; then \ %{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}} \ mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi \ fi \ if [ "%{-c*}" = "no" ] || \ [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then \ cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi \ fi \ %{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}} \ mv mm%{-a*}-signed.efi mm%{-a*}.efi \ %{expand:%%distrosign -b fb -a %{-a*} -d %{-d*}} \ mv fb%{-a*}-signed.efi fb%{-a*}.efi \ rm -vf \\\ mm%{-a*}-unsigned.efi \\\ fb%{-a*}-unsigned.efi \\\ shim%{-a*}-unsigned.efi \ %{nil} # -a # -A # -b %define do_install(a:A:b:) \ install -m 0700 shim%{-a*}.efi \\\ $RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}.efi \ install -m 0700 shim%{-a*}-%{efi_vendor}.efi \\\ $RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}-%{efi_vendor}.efi \ install -m 0700 mm%{-a*}.efi \\\ $RPM_BUILD_ROOT%{efi_esp_dir}/mm%{-a*}.efi \ install -m 0700 %{-b*} \\\ $RPM_BUILD_ROOT%{efi_esp_dir}/BOOT%{-A*}.CSV \ install -m 0700 shim%{-a*}.efi \\\ $RPM_BUILD_ROOT%{efi_esp_boot}/BOOT%{-A*}.EFI \ install -m 0700 fb%{-a*}.efi \\\ $RPM_BUILD_ROOT%{efi_esp_boot}/fb%{-a*}.efi \ %nil # -a # -A %define define_files(a:A:) \ %{expand:%%files -n shim-%{-a*}} \ %%verify(not mtime) %{efi_esp_dir}/*%{-a*}*.efi \ %%verify(not mtime) %{efi_esp_dir}/BOOT%{-A*}.CSV \ %%verify(not mtime) %{efi_esp_boot}/*%{-a*}.efi \ %%verify(not mtime) %{efi_esp_boot}/*%{-A*}.EFI \ %{nil} %ifarch %{x86_64} %global is_signed yes %global is_alt_signed no %global provide_legacy_shim 1 %endif %ifarch aarch64 %global is_signed yes %global is_alt_signed no %global provide_legacy_shim 1 %endif %ifnarch %{x86_64} aarch64 %global is_signed no %global is_alt_signed no %global provide_legacy_shim 0 %endif %if ! 0%{?vendor:1} %global vendor nopenopenope %endif # vim:filetype=rpmmacros