commit 54a7b7a1fbba6e41b0eeeec7aa0b916e6a656127 Author: MSVSphere Packaging Team Date: Tue Nov 26 19:18:38 2024 +0300 import shim-15.8-4.el9_3 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..adbd4d4 --- /dev/null +++ b/.gitignore @@ -0,0 +1,9 @@ +SOURCES/BOOTX64.CSV +SOURCES/fbaa64.efi +SOURCES/fbx64.efi +SOURCES/mmaa64.efi +SOURCES/mmx64.efi +SOURCES/redhatsecureboot501.cer +SOURCES/redhatsecurebootca5.cer +SOURCES/shimaa64.efi +SOURCES/shimx64.efi diff --git a/.shim.metadata b/.shim.metadata new file mode 100644 index 0000000..553f2d9 --- /dev/null +++ b/.shim.metadata @@ -0,0 +1,9 @@ +6801abf1c4d54f15f869470c99e480433940407a SOURCES/BOOTX64.CSV +62b636517840e4f3027a3ecd549b7b3a95b05795 SOURCES/fbaa64.efi +9f6113ea26646fa3322c531e43c7522802bb3ecf SOURCES/fbx64.efi +211c4c134f7e1375f4618daa1e4858dd4259444a SOURCES/mmaa64.efi +933fe1154b024bfdab69346e78eaf4778fc2b76d SOURCES/mmx64.efi +ba0b760e594ff668ee72ae348adf3e49b97f75fb SOURCES/redhatsecureboot501.cer +e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer +9c8bae2617420ba18ca6b6ac061a5bae6beb0040 SOURCES/shimaa64.efi +51bb003a7527b85e31fed0db68254a504c559dad SOURCES/shimx64.efi diff --git a/SOURCES/BOOTAA64.CSV b/SOURCES/BOOTAA64.CSV new file mode 100644 index 0000000..2dad06e Binary files /dev/null and b/SOURCES/BOOTAA64.CSV differ diff --git a/SOURCES/shim.rpmmacros b/SOURCES/shim.rpmmacros new file mode 100644 index 0000000..ccd0a92 --- /dev/null +++ b/SOURCES/shim.rpmmacros @@ -0,0 +1,201 @@ +%global debug_package %{nil} +%global __brp_mangle_shebangs_exclude_from_file %{expand:%{_builddir}/shim-%{efi_arch}-%{version}-%{release}.%{_target_cpu}-shebangs.txt} +%global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}} +%global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}} + +%global grub_version 2.06-27.el9_0.12 + +%global bootcsvaa64 %{expand:%{SOURCE10}} +%global bootcsvx64 %{expand:%{SOURCE12}} +#%%global bootcsvarm %%{expand:%%{SOURCE13}} + +%global shimefiaa64 %{expand:%{SOURCE20}} +%global shimefix64 %{expand:%{SOURCE22}} +#%%global shimefiarm %%{expand:%%{SOURCE23} + +%global fbefiaa64 %{expand:%{SOURCE30}} +%global fbefix64 %{expand:%{SOURCE32}} +#%%global fbefiarm %%{expand:%%{SOURCE33} + +%global mmefiaa64 %{expand:%{SOURCE40}} +%global mmefix64 %{expand:%{SOURCE42}} +#%%global mmefiarm %%{expand:%%{SOURCE43} + +%global shimveraa64 15.8-2.el9 +%global shimverx64 15.8-2.el9 +#%%global shimverarm 15-1.el8 + +%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64 +%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64 +#%%global shimdirarm %%{_datadir}/shim/%%{shimverarm}/arm + +%global unsignedaa64 shim-unsigned-aarch64 +%global unsignedx64 shim-unsigned-x64 +#%%global unsignedarm shim-unsigned-arm + +%global bootcsv %{expand:%{bootcsv%{efi_arch}}} +%global bootcsvalt %{expand:%{bootcsv%{?efi_alt_arch}}} +%global shimefi %{expand:%{shimefi%{efi_arch}}} +%global shimefialt %{expand:%{shimefi%{?efi_alt_arch}}} +%global shimver %{expand:%{shimver%{efi_arch}}} +%global shimveralt %{expand:%{shimver%{?efi_alt_arch}}} +%global shimdir %{expand:%{shimdir%{efi_arch}}} +%global shimdiralt %{expand:%{shimdir%{?efi_alt_arch}}} +%global fbefi %{expand:%{fbefi%{efi_arch}}} +%global fbefialt %{expand:%{fbefi%{?efi_alt_arch}}} +%global mmefi %{expand:%{mmefi%{efi_arch}}} +%global mmefialt %{expand:%{mmefi%{?efi_alt_arch}}} + +%global unsignednone shim-unsigned-none +%global unsigned %{expand:%%{unsigned%{efi_arch}}} +%global unsignedalt %{expand:%%{unsigned%{efi_alt_arch}}} + +%define define_pkg(a:p:) \ +%{expand:%%package -n shim-%{-a*}} \ +Summary: First-stage UEFI bootloader \ +Requires: mokutil >= 1:0.3.0-1 \ +Requires: efi-filesystem \ +Provides: shim-signed-%{-a*} = %{version}-%{release} \ +Requires: dbxtool >= 0.6-3 \ +Conflicts: grub2-efi-%{-a*} < %{grub_version} \ +%{expand:%%if 0%%{-p*} \ +Provides: shim = %{version}-%{release} \ +Provides: shim-signed = %{version}-%{release} \ +Obsoletes: shim-signed < %{version}-%{release} \ +Obsoletes: shim < %{version}-%{release} \ +%%endif} \ +# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI \ +# is not compatible with SysV (there's no red zone under UEFI) and \ +# there isn't a POSIX-style C library. \ +# BuildRequires: OpenSSL \ +Provides: bundled(openssl) = 1.0.2j \ + \ +%{expand:%%description -n shim-%{-a*}} \ +Initial UEFI bootloader that handles chaining to a trusted full \ +bootloader under secure boot environments. This package contains the \ +version signed by the UEFI signing service. \ +%{nil} + +# -a +# -i +%define hash(a:i:d:) \ + if [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then \ + pesign -i %{-i*} -h -P > shim.hash \ + read file0 hash0 < shim.hash \ + read file1 hash1 < %{-d*}/shim%{-a*}.hash \ + if ! [ "$hash0" = "$hash1" ] ; then \ + echo Invalid signature\! > /dev/stderr \ + echo $hash0 vs $hash1 \ + exit 1 \ + fi \ + fi \ + %{nil} + +# -i +# -o +%define sign(i:o:n:a:c:) \ + %{expand:%%pesign -s -i %{-i*} -o %{-o*} %{-n} %{-n*} %{-a} %{-a*} %{-c} %{-c*}} \ + %{nil} + +# -b +# -a +# -i +%define distrosign(b:a:d:) \ + if [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then \ + if [ "%{-b*}%{-a*}" = "shim%{efi_arch}" ] ; then \ + cp -av "%{shimefi}" %{-b*}%{-a*}-unsigned.efi \ + elif [ "%{-b*}%{-a*}" = "shim%{efi_alt_arch}" ] ; then \ + cp -av "%{shimefialt}" %{-b*}%{-a*}-unsigned.efi \ + elif [ "%{-b*}%{-a*}" = "mm%{efi_arch}" ] ; then \ + cp -av "%{mmefi}" %{-b*}%{-a*}-unsigned.efi \ + elif [ "%{-b*}%{-a*}" = "mm%{efi_alt_arch}" ] ; then \ + cp -av "%{mmefialt}" %{-b*}%{-a*}-unsigned.efi \ + elif [ "%{-b*}%{-a*}" = "fb%{efi_arch}" ] ; then \ + cp -av "%{fbefi}" %{-b*}%{-a*}-unsigned.efi \ + elif [ "%{-b*}%{-a*}" = "fb%{efi_alt_arch}" ] ; then \ + cp -av "%{fbefialt}" %{-b*}%{-a*}-unsigned.efi \ + fi \ + else \ + cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi \ + fi \ + %{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n redhatsecureboot501 -a %{SOURCE2} -c %{SOURCE1} } \ + %{nil} + +# -a +# -A +# -b <1|0> # signed by this builder? +# -c <1|0> # signed by UEFI CA? +# -i +# -d /usr/share dir for this build (full path) +%define define_build(a:A:b:c:i:d:) \ +if [ "%{-c*}" = "yes-temporarily-disabled-20180723" ]; then \ + %{expand:%%hash -i %{-i*} -a %{-a*} -d %{-d*}} \ +fi \ +cp %{-i*} shim%{-a*}.efi \ +if [ "%{-b*}" = "yes" ] ; then \ + %{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}} \ + mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi \ +fi \ +if [ "%{-c*}" = "no" ] || \ + [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then \ + cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi \ +fi \ +%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}} \ +mv mm%{-a*}-signed.efi mm%{-a*}.efi \ +%{expand:%%distrosign -b fb -a %{-a*} -d %{-d*}} \ +mv fb%{-a*}-signed.efi fb%{-a*}.efi \ +rm -vf \\\ + mm%{-a*}-unsigned.efi \\\ + fb%{-a*}-unsigned.efi \\\ + shim%{-a*}-unsigned.efi \ +%{nil} + +# -a +# -A +# -b +%define do_install(a:A:b:) \ +install -m 0700 shim%{-a*}.efi \\\ + $RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}.efi \ +install -m 0700 shim%{-a*}-%{efi_vendor}.efi \\\ + $RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}-%{efi_vendor}.efi \ +install -m 0700 mm%{-a*}.efi \\\ + $RPM_BUILD_ROOT%{efi_esp_dir}/mm%{-a*}.efi \ +install -m 0700 %{-b*} \\\ + $RPM_BUILD_ROOT%{efi_esp_dir}/BOOT%{-A*}.CSV \ +install -m 0700 shim%{-a*}.efi \\\ + $RPM_BUILD_ROOT%{efi_esp_boot}/BOOT%{-A*}.EFI \ +install -m 0700 fb%{-a*}.efi \\\ + $RPM_BUILD_ROOT%{efi_esp_boot}/fb%{-a*}.efi \ +%nil + +# -a +# -A +%define define_files(a:A:) \ +%{expand:%%files -n shim-%{-a*}} \ +%%verify(not mtime) %{efi_esp_dir}/*%{-a*}*.efi \ +%%verify(not mtime) %{efi_esp_dir}/BOOT%{-A*}.CSV \ +%%verify(not mtime) %{efi_esp_boot}/*%{-a*}.efi \ +%%verify(not mtime) %{efi_esp_boot}/*%{-A*}.EFI \ +%{nil} + +%ifarch x86_64 +%global is_signed yes +%global is_alt_signed no +%global provide_legacy_shim 1 +%endif +%ifarch aarch64 +%global is_signed no +%global is_alt_signed no +%global provide_legacy_shim 1 +%endif +%ifnarch x86_64 aarch64 +%global is_signed no +%global is_alt_signed no +%global provide_legacy_shim 0 +%endif + +%if ! 0%{?vendor:1} +%global vendor nopenopenope +%endif + +# vim:filetype=rpmmacros diff --git a/SPECS/shim.spec b/SPECS/shim.spec new file mode 100644 index 0000000..083c01d --- /dev/null +++ b/SPECS/shim.spec @@ -0,0 +1,179 @@ +Name: shim +Version: 15.8 +Release: 4%{?dist} +Summary: First-stage UEFI bootloader +License: BSD +URL: https://github.com/rhboot/shim/ +BuildRequires: efi-filesystem +BuildRequires: efi-srpm-macros >= 6 + +ExclusiveArch: %{efi} +# and we don't have shim-unsigned-arm builds *yet* +ExcludeArch: %{arm} %{ix86} + +Source0: shim.rpmmacros +Source1: redhatsecureboot501.cer +Source2: redhatsecurebootca5.cer + +# keep these two lists of sources synched up arch-wise. That is 0 and 10 +# match, 1 and 11 match, ... +Source10: BOOTAA64.CSV +Source20: shimaa64.efi +Source30: mmaa64.efi +Source40: fbaa64.efi +Source12: BOOTX64.CSV +Source22: shimx64.efi +Source32: mmx64.efi +Source42: fbx64.efi +#Source13: BOOTARM.CSV +#Source23: shimarm.efi +#Source33: mmarm.efi +#Source43: fbarm.efi + +%include %{SOURCE0} + +BuildRequires: pesign >= 0.112-20.fc27 +# Right now we're just including all of the parts from them as sources here +# to make the build+errata process less maddening. We do this because +# %%{efi} won't expand before choosing where to make the src.rpm in koji, +# and we could be on a non-efi architecture, in which case we won't have a +# valid expansion here... +#%% ifarch x86_64 +#BuildRequires: %% {unsignedx64} = %% {shimverx64} +#%% endif +#%% ifarch aarch64 +#BuildRequires: %% {unsignedaa64} = %% {shimveraa64} +#%% endif +#%%ifarch arm +#BuildRequires: %%{unsignedarm} = %%{shimverarm} +#%%endif + +%description +Initial UEFI bootloader that handles chaining to a trusted full bootloader +under secure boot environments. This package contains the version signed by +the UEFI signing service. + +%define_pkg -a %{efi_arch} -p 1 +%if %{efi_has_alt_arch} +%define_pkg -a %{efi_alt_arch} +%endif + +%prep +cd %{_builddir} +rm -rf shim-%{version} +mkdir shim-%{version} + +%build +export PS4='${LINENO}: ' + +cd shim-%{version} +%if %{efi_has_alt_arch} +%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{shimdiralt} +%endif +# Temporarily using _sourcedir to avoid build dep annoyances. +%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{_sourcedir} + +%install +rm -rf $RPM_BUILD_ROOT +cd shim-%{version} +install -D -d -m 0755 $RPM_BUILD_ROOT/boot/ +install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_root}/ +install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_efi}/ +install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_dir}/ +install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_boot}/ + +%do_install -a %{efi_arch} -A %{efi_arch_upper} -b %{bootcsv} +%if %{efi_has_alt_arch} +%do_install -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -b %{bootcsvalt} +%endif + +%if %{provide_legacy_shim} +install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi +%endif + +( cd $RPM_BUILD_ROOT ; find .%{efi_esp_root} -type f ) \ + | sed -e 's/\./\^/' -e 's,^\\\./,.*/,' -e 's,$,$,' > %{__brp_mangle_shebangs_exclude_from_file} + +%define_files -a %{efi_arch} -A %{efi_arch_upper} +%if %{efi_has_alt_arch} +%define_files -a %{efi_alt_arch} -A %{efi_alt_arch_upper} +%endif + +%if %{provide_legacy_shim} +%verify(not mtime) %{efi_esp_dir}/shim.efi +%endif + +%changelog +* Tue Nov 26 2024 MSVSphere Packaging Team - 15.8-4 +- Rebuilt for MSVSphere 10 + +* Tue Apr 16 2024 Peter Jones - 15.8-4 +- Rebuild to work around build system quirks. + Related: RHEL-11262 + +* Wed Apr 03 2024 Peter Jones - 15.8-3.el9 +- Fix rpm verification due to mtime granularity on FAT. + Related: RHEL-11262 + +* Thu Mar 21 2024 Peter Jones - 15.8-2.el9 +- Add the grub2-efi-ARCH conflict for SBAT. + Resolves: RHEL-11262 + +* Thu Mar 21 2024 Peter Jones - 15.8-1.el9 +- Update to shim-15.8 for CVE-2023-40547 + Resolves: RHEL-11262 + +* Thu Apr 14 2022 Peter Jones - 15.5-2.el9 +- Attempt to make aarch64 build. + Related: rhbz#1932057 + +* Thu Apr 14 2022 Peter Jones - 15.5-1.el9 +- Rebuild for rhel-9.0.0 + Resolves: rhbz#1932057 + +* Mon Sep 21 2020 Javier Martinez Canillas - 15-16 +- Fix an incorrect allocation size + +* Fri Jul 31 2020 Peter Jones - 15-15 +- Update once again for new signed shim builds. + +* Tue Jul 28 2020 Peter Jones - 15-14 +- Get rid of our %%dist hack for now. + +* Tue Jul 28 2020 Peter Jones - 15-13 +- New signing keys + +* Thu Jun 11 2020 Javier Martinez Canillas - 15-12 +- Fix firmware update bug in aarch64 caused by shim ignoring arguments +- Fix a shim crash when attempting to netboot + +* Fri Jun 07 2019 Javier Martinez Canillas - 15-11 +- Update the shim-unsigned-aarch64 version number + +* Fri Jun 07 2019 Javier Martinez Canillas - 15-10 +- Add a gating.yaml file so the package can be properly gated + +* Wed Jun 05 2019 Javier Martinez Canillas - 15-9 +- Bump the NVR + +* Wed Jun 05 2019 Javier Martinez Canillas - 15-7 +- Make EFI variable copying fatal only on secureboot enabled systems +- Fix booting shim from an EFI shell using a relative path + +* Thu Mar 14 2019 Peter Jones - 15-6 +- Fix MoK mirroring issue which breaks kdump without intervention + +* Thu Jan 24 2019 Peter Jones - 15-5 +- Rebuild for signing once again. If the signer actually works, then: + +* Tue Oct 16 2018 Peter Jones - 15-4 +- Rebuild for signing + +* Mon Aug 13 2018 Troy Dawson +- Release Bumped for el8 Mass Rebuild + +* Sat Aug 11 2018 Troy Dawson +- Release Bumped for el8+8 Mass Rebuild + +* Mon Jul 23 2018 Peter Jones - 15-1 +- Build for RHEL 8