1
0
forked from rpms/shim

Compare commits

...

No commits in common. "c9s" and "c8" have entirely different histories.
c9s ... c8

4 changed files with 442 additions and 0 deletions

14
.gitignore vendored
View File

@ -0,0 +1,14 @@
SOURCES/BOOTAA64.CSV
SOURCES/BOOTIA32.CSV
SOURCES/BOOTX64.CSV
SOURCES/fbaa64.efi
SOURCES/fbia32.efi
SOURCES/fbx64.efi
SOURCES/mmaa64.efi
SOURCES/mmia32.efi
SOURCES/mmx64.efi
SOURCES/redhatsecureboot501.cer
SOURCES/redhatsecurebootca5.cer
SOURCES/shimaa64.efi
SOURCES/shimia32.efi
SOURCES/shimx64.efi

14
.shim.metadata Normal file
View File

@ -0,0 +1,14 @@
fe978419c312c0c415d52befb4f6561e2d9556a7 SOURCES/BOOTAA64.CSV
9650b41c0227b343478d03f4d7fcd6c8d3744440 SOURCES/BOOTIA32.CSV
6801abf1c4d54f15f869470c99e480433940407a SOURCES/BOOTX64.CSV
317f45115504f1ba56f0113dc217460e3c26cf82 SOURCES/fbaa64.efi
4fd02a6b3ec5dc58fcba1a3d8dec69e0cb86f5d5 SOURCES/fbia32.efi
b26bb4ed41e96d6e2b2471dc5d50f0f2c88ff884 SOURCES/fbx64.efi
b2e0f92dba676facda778be739e2959f5e51c077 SOURCES/mmaa64.efi
e8316a74f06a29385eeb7fd734f582e60dc7a2a4 SOURCES/mmia32.efi
77f25d23c6b0bb2f79a47d574f8af5ffe91e2466 SOURCES/mmx64.efi
ba0b760e594ff668ee72ae348adf3e49b97f75fb SOURCES/redhatsecureboot501.cer
e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer
750bd7932437b1fb6610c233f69db1b70d67fab1 SOURCES/shimaa64.efi
0cd6ef62726de2f1321bfe6b70f47b788ac38666 SOURCES/shimia32.efi
86855303a18b978cf90d6c244bfe30897f449996 SOURCES/shimx64.efi

208
SOURCES/shim.rpmmacros Normal file
View File

@ -0,0 +1,208 @@
%global debug_package %{nil}
%global __brp_mangle_shebangs_exclude_from_file %{expand:%{_builddir}/shim-%{efi_arch}-%{version}-%{release}.%{_target_cpu}-shebangs.txt}
%global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
%global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
%global grub_version 2.02-87.el8_1.11
%global bootcsvaa64 %{expand:%{SOURCE10}}
%global bootcsvia32 %{expand:%{SOURCE11}}
%global bootcsvx64 %{expand:%{SOURCE12}}
#%%global bootcsvarm %%{expand:%%{SOURCE13}}
%global shimefiaa64 %{expand:%{SOURCE20}}
%global shimefiia32 %{expand:%{SOURCE21}}
%global shimefix64 %{expand:%{SOURCE22}}
#%%global shimefiarm %%{expand:%%{SOURCE23}
%global fbefiaa64 %{expand:%{SOURCE30}}
%global fbefiia32 %{expand:%{SOURCE31}}
%global fbefix64 %{expand:%{SOURCE32}}
#%%global fbefiarm %%{expand:%%{SOURCE33}
%global mmefiaa64 %{expand:%{SOURCE40}}
%global mmefiia32 %{expand:%{SOURCE41}}
%global mmefix64 %{expand:%{SOURCE42}}
#%%global mmefiarm %%{expand:%%{SOURCE43}
%global shimveraa64 15-7.el8_1
%global shimveria32 15.8-2.el8
%global shimverx64 15.8-2.el8
#%%global shimverarm 15-1.el8
%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
%global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32
%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64
#%%global shimdirarm %%{_datadir}/shim/%%{shimverarm}/arm
%global unsignedaa64 shim-unsigned-aarch64
%global unsignedia32 shim-unsigned-ia32
%global unsignedx64 shim-unsigned-x64
#%%global unsignedarm shim-unsigned-arm
%global bootcsv %{expand:%{bootcsv%{efi_arch}}}
%global bootcsvalt %{expand:%{bootcsv%{?efi_alt_arch}}}
%global shimefi %{expand:%{shimefi%{efi_arch}}}
%global shimefialt %{expand:%{shimefi%{?efi_alt_arch}}}
%global shimver %{expand:%{shimver%{efi_arch}}}
%global shimveralt %{expand:%{shimver%{?efi_alt_arch}}}
%global shimdir %{expand:%{shimdir%{efi_arch}}}
%global shimdiralt %{expand:%{shimdir%{?efi_alt_arch}}}
%global fbefi %{expand:%{fbefi%{efi_arch}}}
%global fbefialt %{expand:%{fbefi%{?efi_alt_arch}}}
%global mmefi %{expand:%{mmefi%{efi_arch}}}
%global mmefialt %{expand:%{mmefi%{?efi_alt_arch}}}
%global unsignednone shim-unsigned-none
%global unsigned %{expand:%%{unsigned%{efi_arch}}}
%global unsignedalt %{expand:%%{unsigned%{efi_alt_arch}}}
%define define_pkg(a:p:) \
%{expand:%%package -n shim-%{-a*}} \
Summary: First-stage UEFI bootloader \
Requires: mokutil >= 1:0.3.0-1 \
Requires: efi-filesystem \
Provides: shim-signed-%{-a*} = %{version}-%{release} \
Requires: dbxtool >= 0.6-3 \
Conflicts: grub2-efi-%{-a*} < %{grub_version} \
%{expand:%%if 0%%{-p*} \
Provides: shim = %{version}-%{release} \
Provides: shim-signed = %{version}-%{release} \
Obsoletes: shim-signed < %{version}-%{release} \
Obsoletes: shim < %{version}-%{release} \
%%endif} \
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI \
# is not compatible with SysV (there's no red zone under UEFI) and \
# there isn't a POSIX-style C library. \
# BuildRequires: OpenSSL \
Provides: bundled(openssl) = 1.0.2j \
\
%{expand:%%description -n shim-%{-a*}} \
Initial UEFI bootloader that handles chaining to a trusted full \
bootloader under secure boot environments. This package contains the \
version signed by the UEFI signing service. \
%{nil}
# -a <efiarch>
# -i <input>
%define hash(a:i:d:) \
if [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then \
pesign -i %{-i*} -h -P > shim.hash \
read file0 hash0 < shim.hash \
read file1 hash1 < %{-d*}/shim%{-a*}.hash \
if ! [ "$hash0" = "$hash1" ] ; then \
echo Invalid signature\! > /dev/stderr \
echo $hash0 vs $hash1 \
exit 1 \
fi \
fi \
%{nil}
# -i <input>
# -o <output>
%define sign(i:o:n:a:c:) \
%{expand:%%pesign -s -i %{-i*} -o %{-o*} %{-n} %{-n*} %{-a} %{-a*} %{-c} %{-c*}} \
%{nil}
# -b <binary prefix>
# -a <efiarch>
# -i <input>
%define distrosign(b:a:d:) \
if [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then \
if [ "%{-b*}%{-a*}" = "shim%{efi_arch}" ] ; then \
cp -av "%{shimefi}" %{-b*}%{-a*}-unsigned.efi \
elif [ "%{-b*}%{-a*}" = "shim%{efi_alt_arch}" ] ; then \
cp -av "%{shimefialt}" %{-b*}%{-a*}-unsigned.efi \
elif [ "%{-b*}%{-a*}" = "mm%{efi_arch}" ] ; then \
cp -av "%{mmefi}" %{-b*}%{-a*}-unsigned.efi \
elif [ "%{-b*}%{-a*}" = "mm%{efi_alt_arch}" ] ; then \
cp -av "%{mmefialt}" %{-b*}%{-a*}-unsigned.efi \
elif [ "%{-b*}%{-a*}" = "fb%{efi_arch}" ] ; then \
cp -av "%{fbefi}" %{-b*}%{-a*}-unsigned.efi \
elif [ "%{-b*}%{-a*}" = "fb%{efi_alt_arch}" ] ; then \
cp -av "%{fbefialt}" %{-b*}%{-a*}-unsigned.efi \
fi \
else \
cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi \
fi \
%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n redhatsecureboot501 -a %{SOURCE2} -c %{SOURCE1} } \
%{nil}
# -a <efiarch>
# -A <EFIARCH>
# -b <1|0> # signed by this builder?
# -c <1|0> # signed by UEFI CA?
# -i <shimARCH.efi>
# -d /usr/share dir for this build (full path)
%define define_build(a:A:b:c:i:d:) \
if [ "%{-c*}" = "yes-temporarily-disabled-20180723" ]; then \
%{expand:%%hash -i %{-i*} -a %{-a*} -d %{-d*}} \
fi \
cp %{-i*} shim%{-a*}.efi \
if [ "%{-b*}" = "yes" ] ; then \
%{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}} \
mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi \
fi \
if [ "%{-c*}" = "no" ] || \
[ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then \
cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi \
fi \
%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}} \
mv mm%{-a*}-signed.efi mm%{-a*}.efi \
%{expand:%%distrosign -b fb -a %{-a*} -d %{-d*}} \
mv fb%{-a*}-signed.efi fb%{-a*}.efi \
rm -vf \\\
mm%{-a*}-unsigned.efi \\\
fb%{-a*}-unsigned.efi \\\
shim%{-a*}-unsigned.efi \
%{nil}
# -a <efiarch>
# -A <EFIARCH>
# -b <BOOTCSV>
%define do_install(a:A:b:) \
install -m 0700 shim%{-a*}.efi \\\
$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}.efi \
install -m 0700 shim%{-a*}-%{efi_vendor}.efi \\\
$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}-%{efi_vendor}.efi \
install -m 0700 mm%{-a*}.efi \\\
$RPM_BUILD_ROOT%{efi_esp_dir}/mm%{-a*}.efi \
install -m 0700 %{-b*} \\\
$RPM_BUILD_ROOT%{efi_esp_dir}/BOOT%{-A*}.CSV \
install -m 0700 shim%{-a*}.efi \\\
$RPM_BUILD_ROOT%{efi_esp_boot}/BOOT%{-A*}.EFI \
install -m 0700 fb%{-a*}.efi \\\
$RPM_BUILD_ROOT%{efi_esp_boot}/fb%{-a*}.efi \
%nil
# -a <efiarch>
# -A <EFIARCH>
%define define_files(a:A:) \
%{expand:%%files -n shim-%{-a*}} \
%%verify(not mtime) %{efi_esp_dir}/*%{-a*}*.efi \
%%verify(not mtime) %{efi_esp_dir}/BOOT%{-A*}.CSV \
%%verify(not mtime) %{efi_esp_boot}/*%{-a*}.efi \
%%verify(not mtime) %{efi_esp_boot}/*%{-A*}.EFI \
%{nil}
%ifarch x86_64
%global is_signed yes
%global is_alt_signed yes
%global provide_legacy_shim 1
%endif
%ifarch aarch64
%global is_signed no
%global is_alt_signed no
%global provide_legacy_shim 1
%endif
%ifnarch x86_64 aarch64
%global is_signed no
%global is_alt_signed no
%global provide_legacy_shim 0
%endif
%if ! 0%{?vendor:1}
%global vendor nopenopenope
%endif
# vim:filetype=rpmmacros

206
SPECS/shim.spec Normal file
View File

@ -0,0 +1,206 @@
Name: shim
Version: 15.8
Release: 4%{?dist}
Summary: First-stage UEFI bootloader
License: BSD
URL: https://github.com/rhboot/shim/
BuildRequires: efi-filesystem
BuildRequires: efi-srpm-macros >= 3-2
ExclusiveArch: %{efi}
# but we don't build a .i686 package, just a shim-ia32.x86_64 package
ExcludeArch: %{ix86}
# and we don't have shim-unsigned-arm builds *yet*
ExcludeArch: %{arm}
Source0: shim.rpmmacros
Source1: redhatsecureboot501.cer
Source2: redhatsecurebootca5.cer
# keep these two lists of sources synched up arch-wise. That is 0 and 10
# match, 1 and 11 match, ...
Source10: BOOTAA64.CSV
Source20: shimaa64.efi
Source30: mmaa64.efi
Source40: fbaa64.efi
Source11: BOOTIA32.CSV
Source21: shimia32.efi
Source31: mmia32.efi
Source41: fbia32.efi
Source12: BOOTX64.CSV
Source22: shimx64.efi
Source32: mmx64.efi
Source42: fbx64.efi
#Source13: BOOTARM.CSV
#Source23: shimarm.efi
#Source33: mmarm.efi
#Source43: fbarm.efi
%include %{SOURCE0}
BuildRequires: pesign >= 0.112-20.fc27
# Right now we're just including all of the parts from them as sources here
# to make the build+errata process less maddening. We do this because
# %%{efi} won't expand before choosing where to make the src.rpm in koji,
# and we could be on a non-efi architecture, in which case we won't have a
# valid expansion here...
# %% ifarch x86_64
# BuildRequires: %% {unsignedx64} = %% {shimverx64}
# BuildRequires: %% {unsignedia32} = %% {shimveria32}
# %% endif
# %% ifarch aarch64
# BuildRequires: %% {unsignedaa64} = %% {shimveraa64}
# %% endif
#%%ifarch arm
#BuildRequires: %%{unsignedarm} = %%{shimverarm}
#%%endif
%description
Initial UEFI bootloader that handles chaining to a trusted full bootloader
under secure boot environments. This package contains the version signed by
the UEFI signing service.
%define_pkg -a %{efi_arch} -p 1
%if %{efi_has_alt_arch}
%define_pkg -a %{efi_alt_arch}
%endif
%prep
cd %{_builddir}
rm -rf shim-%{version}
mkdir shim-%{version}
%build
export PS4='${LINENO}: '
cd shim-%{version}
# Temporarily using _sourcedir to avoid build dep annoyances.
%if %{efi_has_alt_arch}
%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{_sourcedir}
%endif
%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{_sourcedir}
%install
rm -rf $RPM_BUILD_ROOT
cd shim-%{version}
install -D -d -m 0755 $RPM_BUILD_ROOT/boot/
install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_root}/
install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_efi}/
install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_dir}/
install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_boot}/
%do_install -a %{efi_arch} -A %{efi_arch_upper} -b %{bootcsv}
%if %{efi_has_alt_arch}
%do_install -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -b %{bootcsvalt}
%endif
%if %{provide_legacy_shim}
install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
%endif
( cd $RPM_BUILD_ROOT ; find .%{efi_esp_root} -type f ) \
| sed -e 's/\./\^/' -e 's,^\\\./,.*/,' -e 's,$,$,' > %{__brp_mangle_shebangs_exclude_from_file}
%define_files -a %{efi_arch} -A %{efi_arch_upper}
%if %{efi_has_alt_arch}
%define_files -a %{efi_alt_arch} -A %{efi_alt_arch_upper}
%endif
%if %{provide_legacy_shim}
%verify(not mtime) %{efi_esp_dir}/shim.efi
%endif
%changelog
* Tue Apr 16 2024 Peter Jones <pjones@redhat.com> - 15.8-4
- Bump the release to *-4* to work around a build system issue.
Related: RHEL-11259
* Wed Apr 10 2024 Peter Jones <pjones@redhat.com> - 15.8-3
- Bump the release to -3 to work around a build system issue.
Related: RHEL-11259
* Thu Mar 28 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el8
- Fix rpm verify issue found in testing.
Related: RHEL-11259
* Thu Mar 21 2024 Peter Jones <pjones@redhat.com> - 15.8-1.el8
- Update to shim-15.8 for CVE-2023-40547
Resolves: RHEL-11259
* Wed Apr 20 2022 Peter Jones <pjones@redhat.com> - 15.5-2.el8
- Include the actual signed shim binaries.
Resolves: rhbz#1970632
Resolves: rhbz#1982071
Resolves: rhbz#2000946
Resolves: rhbz#2002265
* Tue Apr 19 2022 Peter Jones <pjones@redhat.com> - 15.5-1
- Update to shim-15.5
Resolves: rhbz#1970632
Resolves: rhbz#1982071
Resolves: rhbz#2000946
Resolves: rhbz#2002265
* Mon Sep 21 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-16
- Fix an incorrect allocation size
Resolves: rhbz#1877253
* Fri Jul 31 2020 Peter Jones <pjones@redhat.com> - 15-15
- Update once again for new signed shim builds.
Resolves: rhbz#1861977
* Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-14
- Get rid of our %%dist hack for now.
* Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-13
- New signing keys
Related: CVE-2020-10713
Related: CVE-2020-14308
Related: CVE-2020-14309
Related: CVE-2020-14310
Related: CVE-2020-14311
* Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-12
- Fix firmware update bug in aarch64 caused by shim ignoring arguments
Resolves: rhbz#1830871
- Fix a shim crash when attempting to netboot
Resolves: rhbz#1795654
* Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-11
- Update the shim-unsigned-aarch64 version number
Related: rhbz#1715879
* Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-10
- Add a gating.yaml file so the package can be properly gated
Related: rhbz#1681809
* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-9
- Bump the NVR
Related: rhbz#1715879
* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-7
- Make EFI variable copying fatal only on secureboot enabled systems
Resolves: rhbz#1715879
- Fix booting shim from an EFI shell using a relative path
Resolves: rhbz#1717061
* Thu Mar 14 2019 Peter Jones <pjones@redhat.com> - 15-6
- Fix MoK mirroring issue which breaks kdump without intervention
Resolves: rhbz#1668966
* Thu Jan 24 2019 Peter Jones <pjones@redhat.com> - 15-5
- Rebuild for signing once again. If the signer actually works, then:
Resolves: rhbz#1620941
* Tue Oct 16 2018 Peter Jones <pjones@redhat.com> - 15-4
- Rebuild for signing
Resolves: rhbz#1620941
* Mon Aug 13 2018 Troy Dawson <tdawson@redhat.com>
- Release Bumped for el8 Mass Rebuild
* Sat Aug 11 2018 Troy Dawson <tdawson@redhat.com>
- Release Bumped for el8+8 Mass Rebuild
* Mon Jul 23 2018 Peter Jones <pjones@redhat.com> - 15-1
- Build for RHEL 8