From fb159d8237a418a4cdb2b723236f05a963fbe86f Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Thu, 16 Jun 2022 09:19:17 -0400 Subject: [PATCH] import shim-unsigned-x64-15.6-1.el9 --- .gitignore | 1 + .shim-unsigned-x64.metadata | 1 + SOURCES/redhatsecurebootca5.cer | Bin 0 -> 920 bytes SOURCES/sbat.redhat.csv | 1 + SOURCES/shim-find-debuginfo.sh | 95 ++++++++++++ SOURCES/shim.patches | 0 SPECS/shim-unsigned-x64.spec | 257 ++++++++++++++++++++++++++++++++ 7 files changed, 355 insertions(+) create mode 100644 .gitignore create mode 100644 .shim-unsigned-x64.metadata create mode 100644 SOURCES/redhatsecurebootca5.cer create mode 100644 SOURCES/sbat.redhat.csv create mode 100755 SOURCES/shim-find-debuginfo.sh create mode 100644 SOURCES/shim.patches create mode 100644 SPECS/shim-unsigned-x64.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6b84d7a --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/shim-15.6.tar.bz2 diff --git a/.shim-unsigned-x64.metadata b/.shim-unsigned-x64.metadata new file mode 100644 index 0000000..b5fa713 --- /dev/null +++ b/.shim-unsigned-x64.metadata @@ -0,0 +1 @@ +3df0ab5cefc74fdf865cb36aea0e923cb4b6b3ed SOURCES/shim-15.6.tar.bz2 diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer new file mode 100644 index 0000000000000000000000000000000000000000..dfb0284954861282d1a0ce16c8c5cdc71c27659f GIT binary patch literal 920 zcmXqLVxD5q#8k6@nTe5!iIbtZm{+@~;bN2lFB_*;n@8JsUPeZ4RtAH3LoovpHs(+k zE*{>X)D#7e#1b6^&%9(kLq!95kT^4s1XNrhI5oMnC{@8JKfgr5*-^pNP{}|6ZW6NxP$#b?ru1p1aqn$3D)YB{Qqo zjCvjz?|=HkE#3AN-xTZpws*U~)f@DZ{t~uwMZy8<;F%jD%$u6!n#qYzp^Sryh{C;x9qf@!N=T4ui@b#({ zSD&^p3kNZ=9lAQ9%xdfP9doNToV+k2^LHOFD{5oE&78StJa^8n7$i2k94PWc<&xr*# z`sciS&XK#@>h!OC8{=mczNLHbADCJ+pE=-CsaDOF#s}?5Q)1qq&%R~#cz>QmiAiVx zk5XXYstAL9d+iK-w@u$FESybMIPOFY~9lmn~9nUf%vMc88@((p0B(#qL+!COmt7`j5IhPVzo{cRPw} Pd!}BnFF!b8N6JS4>O*3Z literal 0 HcmV?d00001 diff --git a/SOURCES/sbat.redhat.csv b/SOURCES/sbat.redhat.csv new file mode 100644 index 0000000..2135543 --- /dev/null +++ b/SOURCES/sbat.redhat.csv @@ -0,0 +1 @@ +shim.redhat,1,Red Hat Inc,shim,15.5,secalert@redhat.com diff --git a/SOURCES/shim-find-debuginfo.sh b/SOURCES/shim-find-debuginfo.sh new file mode 100755 index 0000000..d656fc9 --- /dev/null +++ b/SOURCES/shim-find-debuginfo.sh @@ -0,0 +1,95 @@ +#!/bin/bash +# +# shim-find-debuginfo.sh +# Copyright (C) 2017 Peter Jones +# +# Distributed under terms of the GPLv3 license. +# +set -e +set -u + +mainarch=$1 && shift +if [ $# == 1 ]; then + altarch=$1 && shift +fi +if ! [ -v RPM_BUILD_ROOT ]; then + echo "RPM_BUILD_ROOT must be set" 1>&2 + exit 1 +fi + +findsource() +{ + ( + cd "${RPM_BUILD_ROOT}" + find usr/src/debug/ -type d | sed -e "s,^,%dir /," | sort -u | tac + find usr/src/debug/ -type f | sed -e "s,^,/," | sort -u | tac + ) +} + +finddebug() +{ + arch=$1 && shift + declare -a dirs=() + declare -a files=() + declare -a excludes=() + declare -a tmp=() + + pushd "${RPM_BUILD_ROOT}" >/dev/null 2>&1 + + mapfile -t tmp < <(find usr/lib/debug/ -type f -iname "*.efi.debug") + for x in "${tmp[@]}" ; do + if ! [ -e "${x}" ]; then + break + fi + if [[ ${x} =~ ${arch}\.efi\.debug$ ]]; then + files[${#files[@]}]=${x} + else + excludes[${#excludes[@]}]=${x} + fi + done + for x in usr/lib/debug/.build-id/*/*.debug ; do + if ! [ -e "${x}" ]; then + break + fi + link=$(readlink "${x}") + if [[ ${link} =~ ${arch}\.efi\.debug$ ]]; then + files[${#files[@]}]=${x} + files[${#files[@]}]=${x%%.debug} + else + excludes[${#excludes[@]}]=${x} + excludes[${#excludes[@]}]=${x%%.debug} + fi + done + for x in "${files[@]}" ; do + declare name + + name=$(dirname "/${x}") + while [ "${name}" != "/" ]; do + case "${name}" in + "/usr/lib/debug"|"/usr/lib"|"/usr") + ;; + *) + dirs[${#dirs[@]}]=${name} + ;; + esac + name=$(dirname "${name}") + done + done + + popd >/dev/null 2>&1 + for x in "${dirs[@]}" ; do + echo "%dir ${x}" + done | sort | uniq + for x in "${files[@]}" ; do + echo "/${x}" + done | sort | uniq + for x in "${excludes[@]}" ; do + echo "%exclude /${x}" + done +} + +findsource > "build-${mainarch}/debugsource.list" +finddebug "${mainarch}" > "build-${mainarch}/debugfiles.list" +if [ -v altarch ]; then + finddebug "${altarch}" > "build-${altarch}/debugfiles.list" +fi diff --git a/SOURCES/shim.patches b/SOURCES/shim.patches new file mode 100644 index 0000000..e69de29 diff --git a/SPECS/shim-unsigned-x64.spec b/SPECS/shim-unsigned-x64.spec new file mode 100644 index 0000000..6064d69 --- /dev/null +++ b/SPECS/shim-unsigned-x64.spec @@ -0,0 +1,257 @@ +%global pesign_vre 0.106-1 +%global openssl_vre 1.0.2j + +%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/')) +%global shimrootdir %{_datadir}/shim/ +%global shimversiondir %{shimrootdir}/%{version}-%{release} +%global efiarch x64 +%global shimdir %{shimversiondir}/%{efiarch} +%global efialtarch ia32 +%global shimaltdir %{shimversiondir}/%{efialtarch} + +%global debug_package %{nil} +%global __debug_package 1 +%global _binaries_in_noarch_packages_terminate_build 0 +%global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch} +%undefine _debuginfo_subpackages + +# currently here's what's in our dbx: nothing +%global dbxfile %{nil} + +Name: shim-unsigned-%{efiarch} +Version: 15.6 +Release: 1.el9 +Summary: First-stage UEFI bootloader +ExclusiveArch: x86_64 +License: BSD +URL: https://github.com/rhboot/shim +Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 +Source1: redhatsecurebootca5.cer +%if 0%{?dbxfile} +Source2: %{dbxfile} +%endif +Source3: sbat.redhat.csv +Source4: shim.patches + +Source100: shim-find-debuginfo.sh + +%include %{SOURCE4} + +BuildRequires: gcc make +BuildRequires: elfutils-libelf-devel +BuildRequires: git openssl-devel openssl +BuildRequires: pesign >= %{pesign_vre} +BuildRequires: dos2unix findutils + +# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not +# compatible with SysV (there's no red zone under UEFI) and there isn't a +# POSIX-style C library. +# BuildRequires: OpenSSL +Provides: bundled(openssl) = %{openssl_vre} + +%global desc \ +Initial UEFI bootloader that handles chaining to a trusted full \ +bootloader under secure boot environments. +%global debug_desc \ +This package provides debug information for package %{expand:%%{name}} \ +Debug information is useful when developing applications that \ +use this package or when debugging this package. + +%description +%desc + +%package -n shim-unsigned-%{efialtarch} +Summary: First-stage UEFI bootloader (unsigned data) +Provides: bundled(openssl) = %{openssl_vre} + +%description -n shim-unsigned-%{efialtarch} +%desc + +%package debuginfo +Summary: Debug information for shim-unsigned-%{efiarch} +Group: Development/Debug +AutoReqProv: 0 +BuildArch: noarch + +%description debuginfo +%debug_desc + +%package -n shim-unsigned-%{efialtarch}-debuginfo +Summary: Debug information for shim-unsigned-%{efialtarch} +Group: Development/Debug +AutoReqProv: 0 +BuildArch: noarch + +%description -n shim-unsigned-%{efialtarch}-debuginfo +%debug_desc + +%package debugsource +Summary: Debug Source for shim-unsigned +Group: Development/Debug +AutoReqProv: 0 +BuildArch: noarch + +%description debugsource +%debug_desc + +%prep +%autosetup -S git_am -n shim-%{version} +git config --unset user.email +git config --unset user.name +mkdir build-%{efiarch} +mkdir build-%{efialtarch} +cp %{SOURCE3} data/ + +%build +COMMITID=$(cat commit) +MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " +MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " +MAKEFLAGS+="ENABLE_SHIM_HASH=true " +MAKEFLAGS+="%{_smp_mflags}" +if [ -f "%{SOURCE1}" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" +fi +%if 0%{?dbxfile} +if [ -f "%{SOURCE2}" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" +fi +%endif + +cd build-%{efiarch} +make ${MAKEFLAGS} \ + DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \ + all +cd .. + +%install +COMMITID=$(cat commit) +MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " +MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " +MAKEFLAGS+="ENABLE_SHIM_HASH=true " +if [ -f "%{SOURCE1}" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" +fi +%if 0%{?dbxfile} +if [ -f "%{SOURCE2}" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" +fi +%endif + +cd build-%{efiarch} +make ${MAKEFLAGS} \ + DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \ + DESTDIR=${RPM_BUILD_ROOT} \ + install-as-data install-debuginfo install-debugsource +cd .. + +%files +%license COPYRIGHT +%dir %{shimrootdir} +%dir %{shimversiondir} +%dir %{shimdir} +%{shimdir}/*.efi +%{shimdir}/*.hash +%{shimdir}/*.CSV + +%files debuginfo -f build-%{efiarch}/debugfiles.list + +%files debugsource -f build-%{efiarch}/debugsource.list + +%changelog +* Wed Jun 01 2022 Peter Jones - 15.6-1.el9 +- Update to shim-15.6 + Resolves: CVE-2022-28737 + +* Wed Mar 09 2022 Peter Jones - 15.5-1 +- Update to shim-15.5 + Related: rhbz#1932057 + +* Thu Apr 01 2021 Peter Jones - 15.4-4 +- Fix the sbat data to actually match /this/ product. + Resolves: CVE-2020-14372 + Resolves: CVE-2020-25632 + Resolves: CVE-2020-25647 + Resolves: CVE-2020-27749 + Resolves: CVE-2020-27779 + Resolves: CVE-2021-20225 + Resolves: CVE-2021-20233 + +* Wed Mar 31 2021 Peter Jones - 15.4-3 +- Build with the correct certificate trust list for this OS. + Resolves: CVE-2020-14372 + Resolves: CVE-2020-25632 + Resolves: CVE-2020-25647 + Resolves: CVE-2020-27749 + Resolves: CVE-2020-27779 + Resolves: CVE-2021-20225 + Resolves: CVE-2021-20233 + +* Wed Mar 31 2021 Peter Jones - 15.4-2 +- Fix the ia32 build. + Resolves: CVE-2020-14372 + Resolves: CVE-2020-25632 + Resolves: CVE-2020-25647 + Resolves: CVE-2020-27749 + Resolves: CVE-2020-27779 + Resolves: CVE-2021-20225 + Resolves: CVE-2021-20233 + +* Tue Mar 30 2021 Peter Jones - 15.4-1 +- Update to shim 15.4 + - Support for revocations via the ".sbat" section and SBAT EFI variable + - A new unit test framework and a bunch of unit tests + - No external gnu-efi dependency + - Better CI + Resolves: CVE-2020-14372 + Resolves: CVE-2020-25632 + Resolves: CVE-2020-25647 + Resolves: CVE-2020-27749 + Resolves: CVE-2020-27779 + Resolves: CVE-2021-20225 + Resolves: CVE-2021-20233 + +* Wed Mar 24 2021 Peter Jones - 15.3-0~1 +- Update to shim 15.3 + - Support for revocations via the ".sbat" section and SBAT EFI variable + - A new unit test framework and a bunch of unit tests + - No external gnu-efi dependency + - Better CI + Resolves: CVE-2020-14372 + Resolves: CVE-2020-25632 + Resolves: CVE-2020-25647 + Resolves: CVE-2020-27749 + Resolves: CVE-2020-27779 + Resolves: CVE-2021-20225 + Resolves: CVE-2021-20233 + +* Wed Jun 05 2019 Javier Martinez Canillas - 15-3 +- Make EFI variable copying fatal only on secureboot enabled systems + Resolves: rhbz#1715878 +- Fix booting shim from an EFI shell using a relative path + Resolves: rhbz#1717064 + +* Tue Feb 12 2019 Peter Jones - 15-2 +- Fix MoK mirroring issue which breaks kdump without intervention + Related: rhbz#1668966 + +* Thu Apr 05 2018 Peter Jones - 15-1 +- Update to shim 15 +- better checking for bad linker output +- flicker-free console if there's no error output +- improved http boot support +- better protocol re-installation +- dhcp proxy support +- tpm measurement even when verification is disabled +- REQUIRE_TPM build flag +- more reproducable builds +- measurement of everything verified through shim_verify() +- coverity and scan-build checker make targets +- misc cleanups + +* Fri Feb 09 2018 Fedora Release Engineering - 13-0.2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Aug 18 2017 Peter Jones - 13-0.1 +- Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one. +- This will (eventually) supersede what's in the "shim" package so we can + make "shim" hold the signed one, which will confuse fewer people.