forked from rpms/shim-unsigned-aarch64
Compare commits
No commits in common. "15.6-aligned" and "c8" have entirely different histories.
15.6-align
...
c8
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/shim-15.tar.bz2
|
SOURCES/shim-15.8.tar.bz2
|
||||||
|
@ -1 +1 @@
|
|||||||
3df0ab5cefc74fdf865cb36aea0e923cb4b6b3ed SOURCES/shim-15.6.tar.bz2
|
cdec924ca437a4509dcb178396996ddf92c11183 SOURCES/shim-15.8.tar.bz2
|
||||||
|
@ -1,33 +0,0 @@
|
|||||||
From c7b305152802c8db688605654f75e1195def9fd6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Nicholas Bishop <nicholasbishop@google.com>
|
|
||||||
Date: Mon, 19 Dec 2022 18:56:13 -0500
|
|
||||||
Subject: [PATCH] pe: Align section size up to page size for mem attrs
|
|
||||||
|
|
||||||
Setting memory attributes is generally done at page granularity, and
|
|
||||||
this is enforced by checks in `get_mem_attrs` and
|
|
||||||
`update_mem_attrs`. But unlike the section address, the section size
|
|
||||||
isn't necessarily aligned to 4KiB. Round up the section size to fix
|
|
||||||
this.
|
|
||||||
|
|
||||||
Signed-off-by: Nicholas Bishop <nicholasbishop@google.com>
|
|
||||||
---
|
|
||||||
pe.c | 6 +++++-
|
|
||||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/pe.c b/pe.c
|
|
||||||
index 9a3679e16..5ad0914ba 100644
|
|
||||||
--- a/pe.c
|
|
||||||
+++ b/pe.c
|
|
||||||
@@ -1372,7 +1372,11 @@ handle_image (void *data, unsigned int datasize,
|
|
||||||
+ Section->Misc.VirtualSize - 1);
|
|
||||||
|
|
||||||
addr = (uintptr_t)base;
|
|
||||||
- length = (uintptr_t)end - (uintptr_t)base + 1;
|
|
||||||
+ // Align the length up to PAGE_SIZE. This is required because
|
|
||||||
+ // platforms generally set memory attributes at page
|
|
||||||
+ // granularity, but the section length (unlike the section
|
|
||||||
+ // address) is not required to be aligned.
|
|
||||||
+ length = ALIGN_VALUE((uintptr_t)end - (uintptr_t)base + 1, PAGE_SIZE);
|
|
||||||
|
|
||||||
if (Section->Characteristics & EFI_IMAGE_SCN_MEM_WRITE) {
|
|
||||||
set_attrs |= MEM_ATTR_W;
|
|
Binary file not shown.
1
SOURCES/sbat.redhat.csv
Normal file
1
SOURCES/sbat.redhat.csv
Normal file
@ -0,0 +1 @@
|
|||||||
|
shim.redhat,3,Red Hat Inc,shim,15.8,secalert@redhat.com
|
|
BIN
SOURCES/securebootca.cer
Normal file
BIN
SOURCES/securebootca.cer
Normal file
Binary file not shown.
0
SOURCES/shim.patches
Normal file
0
SOURCES/shim.patches
Normal file
@ -8,35 +8,36 @@
|
|||||||
%global __debug_install_post %{SOURCE100} aa64
|
%global __debug_install_post %{SOURCE100} aa64
|
||||||
%undefine _debuginfo_subpackages
|
%undefine _debuginfo_subpackages
|
||||||
|
|
||||||
%global efidir almalinux
|
%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
|
||||||
%global shimrootdir %{_datadir}/shim/
|
%global shimrootdir %{_datadir}/shim/
|
||||||
%global shimversiondir %{shimrootdir}/%{version}-%{release}
|
%global shimversiondir %{shimrootdir}/%{version}-%{release}
|
||||||
%global efiarch aa64
|
%global efiarch aa64
|
||||||
%global shimdir %{shimversiondir}/%{efiarch}
|
%global shimdir %{shimversiondir}/%{efiarch}
|
||||||
|
|
||||||
Name: shim-unsigned-aarch64
|
Name: shim-unsigned-aarch64
|
||||||
Version: 15.6
|
Version: 15.8
|
||||||
Release: 1%{?dist}.alma
|
Release: 2.el8
|
||||||
Summary: First-stage UEFI bootloader
|
Summary: First-stage UEFI bootloader
|
||||||
ExclusiveArch: aarch64
|
ExclusiveArch: aarch64
|
||||||
License: BSD
|
License: BSD
|
||||||
URL: https://github.com/rhboot/shim
|
URL: https://github.com/rhboot/shim
|
||||||
Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
|
Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
|
||||||
Source1: clsecureboot001.cer
|
Source1: securebootca.cer
|
||||||
# currently here's what's in our dbx:
|
# currently here's what's in our dbx:
|
||||||
# nothing.
|
# nothing.
|
||||||
Source2: dbx.esl
|
Source2: dbx.esl
|
||||||
|
Source3: sbat.redhat.csv
|
||||||
|
Source4: shim.patches
|
||||||
|
|
||||||
Source100: shim-find-debuginfo.sh
|
Source100: shim-find-debuginfo.sh
|
||||||
|
|
||||||
Patch0012: 0012-pe-align-section-size.patch
|
%include %{SOURCE4}
|
||||||
|
|
||||||
BuildRequires: gcc make
|
BuildRequires: gcc make
|
||||||
BuildRequires: elfutils-libelf-devel
|
BuildRequires: elfutils-libelf-devel
|
||||||
BuildRequires: git openssl-devel openssl
|
BuildRequires: git openssl-devel openssl
|
||||||
BuildRequires: pesign >= %{pesign_vre}
|
BuildRequires: pesign >= %{pesign_vre}
|
||||||
BuildRequires: gnu-efi >= %{gnuefi_vre}
|
BuildRequires: dos2unix findutils
|
||||||
BuildRequires: gnu-efi-devel >= %{gnuefi_vre}
|
|
||||||
|
|
||||||
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
|
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
|
||||||
# compatible with SysV (there's no red zone under UEFI) and there isn't a
|
# compatible with SysV (there's no red zone under UEFI) and there isn't a
|
||||||
@ -81,10 +82,11 @@ git config --unset user.name
|
|||||||
mkdir build-%{efiarch}
|
mkdir build-%{efiarch}
|
||||||
|
|
||||||
%build
|
%build
|
||||||
COMMITID=$(cat commit)
|
COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
|
||||||
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
|
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMIT_ID} "
|
||||||
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
|
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
|
||||||
MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
|
MAKEFLAGS+="ENABLE_SHIM_HASH=true "
|
||||||
|
MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
|
||||||
MAKEFLAGS+="%{_smp_mflags}"
|
MAKEFLAGS+="%{_smp_mflags}"
|
||||||
if [ -f "%{SOURCE1}" ]; then
|
if [ -f "%{SOURCE1}" ]; then
|
||||||
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
|
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
|
||||||
@ -98,10 +100,11 @@ make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efiarch}.efi' all
|
|||||||
cd ..
|
cd ..
|
||||||
|
|
||||||
%install
|
%install
|
||||||
COMMITID=$(cat commit)
|
COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
|
||||||
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
|
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMIT_ID} "
|
||||||
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
|
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
|
||||||
MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
|
MAKEFLAGS+="ENABLE_SHIM_HASH=true "
|
||||||
|
MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
|
||||||
if [ -f "%{SOURCE1}" ]; then
|
if [ -f "%{SOURCE1}" ]; then
|
||||||
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
|
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
|
||||||
fi
|
fi
|
||||||
@ -130,8 +133,13 @@ cd ..
|
|||||||
%files debugsource -f build-%{efiarch}/debugsource.list
|
%files debugsource -f build-%{efiarch}/debugsource.list
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Thu May 19 2022 Eduard Abdullin <eabdullin@almalinux.org> - 15-6.alma
|
* Wed Feb 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el8
|
||||||
- Use AlmaLinux cert
|
- Rebuild to fix the commit ident and MAKEFLAGS
|
||||||
|
Resolves: RHEL-11259
|
||||||
|
|
||||||
|
* Tue Dec 05 2023 Peter Jones <pjones@redhat.com> - 15.8-1.el8
|
||||||
|
- Update to shim-15.8 for CVE-2023-40547
|
||||||
|
Resolves: RHEL-11259
|
||||||
|
|
||||||
* Tue May 26 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-6
|
* Tue May 26 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-6
|
||||||
- Fix a shim crash when attempting to netboot
|
- Fix a shim crash when attempting to netboot
|
||||||
|
Loading…
Reference in New Issue
Block a user