Compare commits

...

No commits in common. "15.6-aligned" and "c8" have entirely different histories.

8 changed files with 30 additions and 54 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/shim-15.tar.bz2 SOURCES/shim-15.8.tar.bz2

View File

@ -1 +1 @@
3df0ab5cefc74fdf865cb36aea0e923cb4b6b3ed SOURCES/shim-15.6.tar.bz2 cdec924ca437a4509dcb178396996ddf92c11183 SOURCES/shim-15.8.tar.bz2

View File

@ -1,33 +0,0 @@
From c7b305152802c8db688605654f75e1195def9fd6 Mon Sep 17 00:00:00 2001
From: Nicholas Bishop <nicholasbishop@google.com>
Date: Mon, 19 Dec 2022 18:56:13 -0500
Subject: [PATCH] pe: Align section size up to page size for mem attrs
Setting memory attributes is generally done at page granularity, and
this is enforced by checks in `get_mem_attrs` and
`update_mem_attrs`. But unlike the section address, the section size
isn't necessarily aligned to 4KiB. Round up the section size to fix
this.
Signed-off-by: Nicholas Bishop <nicholasbishop@google.com>
---
pe.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/pe.c b/pe.c
index 9a3679e16..5ad0914ba 100644
--- a/pe.c
+++ b/pe.c
@@ -1372,7 +1372,11 @@ handle_image (void *data, unsigned int datasize,
+ Section->Misc.VirtualSize - 1);
addr = (uintptr_t)base;
- length = (uintptr_t)end - (uintptr_t)base + 1;
+ // Align the length up to PAGE_SIZE. This is required because
+ // platforms generally set memory attributes at page
+ // granularity, but the section length (unlike the section
+ // address) is not required to be aligned.
+ length = ALIGN_VALUE((uintptr_t)end - (uintptr_t)base + 1, PAGE_SIZE);
if (Section->Characteristics & EFI_IMAGE_SCN_MEM_WRITE) {
set_attrs |= MEM_ATTR_W;

Binary file not shown.

1
SOURCES/sbat.redhat.csv Normal file
View File

@ -0,0 +1 @@
shim.redhat,3,Red Hat Inc,shim,15.8,secalert@redhat.com
1 shim.redhat 3 Red Hat Inc shim 15.8 secalert@redhat.com

BIN
SOURCES/securebootca.cer Normal file

Binary file not shown.

0
SOURCES/shim.patches Normal file
View File

View File

@ -8,35 +8,36 @@
%global __debug_install_post %{SOURCE100} aa64 %global __debug_install_post %{SOURCE100} aa64
%undefine _debuginfo_subpackages %undefine _debuginfo_subpackages
%global efidir almalinux %global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
%global shimrootdir %{_datadir}/shim/ %global shimrootdir %{_datadir}/shim/
%global shimversiondir %{shimrootdir}/%{version}-%{release} %global shimversiondir %{shimrootdir}/%{version}-%{release}
%global efiarch aa64 %global efiarch aa64
%global shimdir %{shimversiondir}/%{efiarch} %global shimdir %{shimversiondir}/%{efiarch}
Name: shim-unsigned-aarch64 Name: shim-unsigned-aarch64
Version: 15.6 Version: 15.8
Release: 1%{?dist}.alma Release: 2.el8
Summary: First-stage UEFI bootloader Summary: First-stage UEFI bootloader
ExclusiveArch: aarch64 ExclusiveArch: aarch64
License: BSD License: BSD
URL: https://github.com/rhboot/shim URL: https://github.com/rhboot/shim
Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
Source1: clsecureboot001.cer Source1: securebootca.cer
# currently here's what's in our dbx: # currently here's what's in our dbx:
# nothing. # nothing.
Source2: dbx.esl Source2: dbx.esl
Source3: sbat.redhat.csv
Source4: shim.patches
Source100: shim-find-debuginfo.sh Source100: shim-find-debuginfo.sh
Patch0012: 0012-pe-align-section-size.patch %include %{SOURCE4}
BuildRequires: gcc make BuildRequires: gcc make
BuildRequires: elfutils-libelf-devel BuildRequires: elfutils-libelf-devel
BuildRequires: git openssl-devel openssl BuildRequires: git openssl-devel openssl
BuildRequires: pesign >= %{pesign_vre} BuildRequires: pesign >= %{pesign_vre}
BuildRequires: gnu-efi >= %{gnuefi_vre} BuildRequires: dos2unix findutils
BuildRequires: gnu-efi-devel >= %{gnuefi_vre}
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
# compatible with SysV (there's no red zone under UEFI) and there isn't a # compatible with SysV (there's no red zone under UEFI) and there isn't a
@ -81,10 +82,11 @@ git config --unset user.name
mkdir build-%{efiarch} mkdir build-%{efiarch}
%build %build
COMMITID=$(cat commit) COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMIT_ID} "
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " MAKEFLAGS+="ENABLE_SHIM_HASH=true "
MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
MAKEFLAGS+="%{_smp_mflags}" MAKEFLAGS+="%{_smp_mflags}"
if [ -f "%{SOURCE1}" ]; then if [ -f "%{SOURCE1}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} " MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
@ -98,10 +100,11 @@ make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efiarch}.efi' all
cd .. cd ..
%install %install
COMMITID=$(cat commit) COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMIT_ID} "
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " MAKEFLAGS+="ENABLE_SHIM_HASH=true "
MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
if [ -f "%{SOURCE1}" ]; then if [ -f "%{SOURCE1}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} " MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
fi fi
@ -130,8 +133,13 @@ cd ..
%files debugsource -f build-%{efiarch}/debugsource.list %files debugsource -f build-%{efiarch}/debugsource.list
%changelog %changelog
* Thu May 19 2022 Eduard Abdullin <eabdullin@almalinux.org> - 15-6.alma * Wed Feb 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el8
- Use AlmaLinux cert - Rebuild to fix the commit ident and MAKEFLAGS
Resolves: RHEL-11259
* Tue Dec 05 2023 Peter Jones <pjones@redhat.com> - 15.8-1.el8
- Update to shim-15.8 for CVE-2023-40547
Resolves: RHEL-11259
* Tue May 26 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-6 * Tue May 26 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-6
- Fix a shim crash when attempting to netboot - Fix a shim crash when attempting to netboot