rpms
/
shim
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c9
Branches Tags
rpms:i10
rpms:i10c-beta
rpms:c10-beta
rpms:i9
rpms:i10cs
rpms:cs10
rpms:i8
rpms:i9c
rpms:c9
rpms:i8c
rpms:c8
...
pull from: rpms:cs10
Branches Tags
rpms:i10
rpms:i10c-beta
rpms:c10-beta
rpms:i9
rpms:i10cs
rpms:cs10
rpms:i8
rpms:i9c
rpms:c9
rpms:i8c
rpms:c8

No commits in common. 'c9' and 'cs10' have entirely different histories.
c9 ... cs10

9 changed files with 174 additions and 127 deletions
Show Stats

8
.gitignore vendored
Unescape View File

@ -1,9 +1,3 @@
SOURCES/BOOTX64.CSV
SOURCES/fbaa64.efi
SOURCES/fbx64.efi
SOURCES/mmaa64.efi
SOURCES/mmx64.efi
SOURCES/redhatsecureboot501.cer
SOURCES/redhatsecurebootca5.cer
SOURCES/shimaa64.efi SOURCES/shimaa64.efi
SOURCES/shimia32.efi
SOURCES/shimx64.efi SOURCES/shimx64.efi

12
.shim.metadata
Unescape View File

@ -1,9 +1,3 @@
6801abf1c4d54f15f869470c99e480433940407a SOURCES/BOOTX64.CSV fddb9c22fd56e9c6975159ad72415c9a4cb7cebd SOURCES/shimaa64.efi
62b636517840e4f3027a3ecd549b7b3a95b05795 SOURCES/fbaa64.efi 3ee82cf8f17e7aee3502757daf86b4614a8b736e SOURCES/shimia32.efi
9f6113ea26646fa3322c531e43c7522802bb3ecf SOURCES/fbx64.efi 9e2e19fa2f1d8371748d67b59f27ae9828734d03 SOURCES/shimx64.efi
211c4c134f7e1375f4618daa1e4858dd4259444a SOURCES/mmaa64.efi
933fe1154b024bfdab69346e78eaf4778fc2b76d SOURCES/mmx64.efi
ba0b760e594ff668ee72ae348adf3e49b97f75fb SOURCES/redhatsecureboot501.cer
e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer
9c8bae2617420ba18ca6b6ac061a5bae6beb0040 SOURCES/shimaa64.efi
51bb003a7527b85e31fed0db68254a504c559dad SOURCES/shimx64.efi

BIN
SOURCES/BOOTAA64.CSV
View File

Binary file not shown.

BIN
SOURCES/BOOTIA32.CSV
View File

Binary file not shown.
1 shimia32.efi CentOS Linux This is the boot entry for CentOS Linux

BIN
SOURCES/BOOTX64.CSV
View File

Binary file not shown.
1 shimx64.efi CentOS Linux This is the boot entry for CentOS Linux

84
SOURCES/centossecureboot201.crt
Unescape View File

@ -0,0 +1,84 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
93:c2:04:d8:bd:77:6b:11
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=CentOS Secure Boot CA 2/emailAddress=security@centos.org
Validity
Not Before: Jun 9 10:04:20 2020 GMT
Not After : Jan 18 10:04:20 2038 GMT
Subject: CN=CentOS Secure Boot Signing 201/emailAddress=security@centos.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9e:ef:fe:76:1c:9f:9b:3e:f2:e4:c5:29:bd:19:
32:01:59:f3:e6:99:fa:eb:b5:f8:94:0c:95:3a:65:
5e:b1:72:d0:50:3e:70:64:8a:1a:d1:f6:4d:af:6d:
57:ee:40:71:40:09:dd:30:0c:81:a1:8b:26:63:12:
07:bf:e1:d1:45:9f:9b:09:a6:57:98:9e:ef:97:e9:
bd:68:38:ea:aa:63:92:2e:0d:2f:8e:fb:be:88:40:
9b:59:e3:bc:b7:6f:e3:bb:6b:1e:6e:9e:ee:57:b8:
28:c6:d5:d6:bf:47:a6:e9:38:a9:8f:08:73:98:49:
a8:58:d2:62:73:f1:1e:44:d4:88:3d:f9:aa:43:e2:
72:2e:d7:43:3e:1d:b6:65:f6:d1:2e:ef:31:cb:9f:
5e:e3:d4:ea:3c:23:9a:07:af:f9:4a:ee:43:9a:75:
06:ed:9a:54:2c:ed:5b:ca:85:a5:10:16:cd:30:64:
ea:d5:27:7e:23:f6:fc:ec:69:a9:43:2f:78:73:6b:
33:78:8b:f8:54:db:3f:ce:95:a4:5a:04:9a:15:49:
98:cd:34:7c:c7:8c:a9:8a:32:82:ae:c0:d6:34:93:
e7:d2:54:82:45:ee:eb:54:9a:96:d4:da:4b:24:f8:
09:56:d8:cd:7f:ec:7b:f3:bd:db:9b:8c:b6:18:87:
fa:07
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage: critical
Code Signing
X509v3 Subject Key Identifier:
5D:4B:64:F2:FA:63:1E:5E:5F:DB:AA:DC:14:67:C6:6C:99:21:7A:22
X509v3 Authority Key Identifier:
keyid:70:00:7F:99:20:9C:12:6B:E1:47:74:EA:EC:7B:6D:96:31:F3:4D:CA
Signature Algorithm: sha256WithRSAEncryption
39:4b:b5:cc:37:3f:cd:db:84:0f:63:7c:c4:e4:53:fb:5e:fd:
db:12:19:23:6f:0a:50:14:fd:4f:7c:f9:87:3d:f9:6d:5b:af:
07:a5:94:34:1b:84:07:f4:f1:a0:de:cc:73:87:99:31:c3:93:
66:c0:bc:f2:0f:b2:69:65:8e:da:b9:1a:8e:ae:38:56:f3:7c:
5a:8d:29:0d:3d:ad:84:e7:86:31:a2:8e:2a:a8:f8:f8:f7:87:
32:65:5d:81:47:53:b8:40:c5:1b:a7:46:1f:b0:60:a7:b4:97:
89:51:26:3c:de:46:b9:14:d5:a0:7d:99:cc:a7:7e:ed:89:18:
02:ce:e6:07:45:49:e2:04:7d:5b:03:65:ec:e6:c3:86:0d:82:
31:24:45:51:ec:15:ad:31:83:a8:1c:6e:52:4d:b8:0f:5d:0b:
e4:7b:51:49:39:46:8a:0b:fd:0c:46:af:b4:19:65:0f:12:f1:
fc:ee:fd:6b:4f:df:9a:73:7c:e0:c8:3d:c3:d5:b5:ab:4a:86:
36:97:e8:89:fb:af:f4:f1:c2:05:5d:17:fb:b6:df:a5:0e:45:
89:db:89:99:93:ce:f0:4e:e9:9c:f4:4a:03:b0:6e:be:a2:69:
ab:b1:f3:3b:ed:c7:97:f4:0e:0a:53:27:5a:7e:70:9a:35:ea:
7a:76:d1:bc
-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIJAJPCBNi9d2sRMA0GCSqGSIb3DQEBCwUAMEYxIDAeBgNV
BAMMF0NlbnRPUyBTZWN1cmUgQm9vdCBDQSAyMSIwIAYJKoZIhvcNAQkBFhNzZWN1
cml0eUBjZW50b3Mub3JnMB4XDTIwMDYwOTEwMDQyMFoXDTM4MDExODEwMDQyMFow
TTEnMCUGA1UEAwweQ2VudE9TIFNlY3VyZSBCb290IFNpZ25pbmcgMjAxMSIwIAYJ
KoZIhvcNAQkBFhNzZWN1cml0eUBjZW50b3Mub3JnMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAnu/+dhyfmz7y5MUpvRkyAVnz5pn667X4lAyVOmVesXLQ
UD5wZIoa0fZNr21X7kBxQAndMAyBoYsmYxIHv+HRRZ+bCaZXmJ7vl+m9aDjqqmOS
Lg0vjvu+iECbWeO8t2/ju2sebp7uV7goxtXWv0em6TipjwhzmEmoWNJic/EeRNSI
PfmqQ+JyLtdDPh22ZfbRLu8xy59e49TqPCOaB6/5Su5DmnUG7ZpULO1byoWlEBbN
MGTq1Sd+I/b87GmpQy94c2szeIv4VNs/zpWkWgSaFUmYzTR8x4ypijKCrsDWNJPn
0lSCRe7rVJqW1NpLJPgJVtjNf+x7873bm4y2GIf6BwIDAQABo3gwdjAMBgNVHRMB
Af8EAjAAMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzAd
BgNVHQ4EFgQUXUtk8vpjHl5f26rcFGfGbJkheiIwHwYDVR0jBBgwFoAUcAB/mSCc
EmvhR3Tq7HttljHzTcowDQYJKoZIhvcNAQELBQADggEBADlLtcw3P83bhA9jfMTk
U/te/dsSGSNvClAU/U98+Yc9+W1brwellDQbhAf08aDezHOHmTHDk2bAvPIPsmll
jtq5Go6uOFbzfFqNKQ09rYTnhjGijiqo+Pj3hzJlXYFHU7hAxRunRh+wYKe0l4lR
JjzeRrkU1aB9mcynfu2JGALO5gdFSeIEfVsDZezmw4YNgjEkRVHsFa0xg6gcblJN
uA9dC+R7UUk5RooL/QxGr7QZZQ8S8fzu/WtP35pzfODIPcPVtatKhjaX6In7r/Tx
wgVdF/u236UORYnbiZmTzvBO6Zz0SgOwbr6iaaux8zvtx5f0DgpTJ1p+cJo16np2
0bw=
-----END CERTIFICATE-----

21
SOURCES/centossecurebootca2.crt
Unescape View File

@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDYjCCAkqgAwIBAgIJAIlReu6IOzL7MA0GCSqGSIb3DQEBCwUAMEYxIDAeBgNV
BAMMF0NlbnRPUyBTZWN1cmUgQm9vdCBDQSAyMSIwIAYJKoZIhvcNAQkBFhNzZWN1
cml0eUBjZW50b3Mub3JnMB4XDTIwMDYwOTA4MTkzMloXDTM4MDExODA4MTkzMlow
RjEgMB4GA1UEAwwXQ2VudE9TIFNlY3VyZSBCb290IENBIDIxIjAgBgkqhkiG9w0B
CQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQChatbNaQDV0RTCqff1tl92xI6gu1k8jYufW8FyzZ6uDnxoGpBT0LiU
WKuGjMQ89JgiApFzDYSLWrZg8NbTnVdz0hny4SMyspe5weUk6IToKXvEejZNFn6i
vae2vfT0/ASKsgIvUcz4sWHMK43vbfv/pVpYGLgoG5aNUkt7VhkeURwJzR3ODgDp
aL4bQ/7qEo8ASHCEvQx6klG330Z06O0kjS6GK12cPC1t5ZlimVXCNWP1jf0pMWmh
aBrZjbyY0j8R7Yns3cEovAM230chsVdyFxSYpqCLzMlmWNxiIlvcAoDIRMWEa7Da
SSAfJWH+ygAzad1PHlnCB0zAFbLAMJH1AgMBAAGjUzBRMB0GA1UdDgQWBBRwAH+Z
IJwSa+FHdOrse22WMfNNyjAfBgNVHSMEGDAWgBRwAH+ZIJwSa+FHdOrse22WMfNN
yjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAe5NcVSUd/POZs
Jkiep8ATNwXglLAeYxB55F42sXx5OOdKMBmhqWQIVJvaih/wsfKIBfdUGv2L9dH8
IQgiU1PRYx0baSVJno3HcQTbCqLvnvckusR7IUTDAFj774MvXwS6yV6pXzxDmuh2
t8hRktOKFeUtdlDYqg9X3Ia3GkoB5huyEbuaZTNcV4TAfU/yAERNIAgRs+fLQU70
OgGlWsp35J8qPkZKabGf0surDa2xa6iAoFyknxruoKQ8uNSB9KB7/0JvVouNx90+
ncykWW96GVKs8+H5WGza10FqrchtThSNCSXTtLbTXoK0Atdvu0o04XUbsCGMnlcG
zAVb3/m0
-----END CERTIFICATE-----

62
SOURCES/shim.rpmmacros
Unescape View File

@ -3,33 +3,28 @@
%global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}} %global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
%global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}} %global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
%global grub_version 2.06-27.el9_0.12
%global bootcsvaa64 %{expand:%{SOURCE10}} %global bootcsvaa64 %{expand:%{SOURCE10}}
%global bootcsvia32 %{expand:%{SOURCE11}}
%global bootcsvx64 %{expand:%{SOURCE12}} %global bootcsvx64 %{expand:%{SOURCE12}}
#%%global bootcsvarm %%{expand:%%{SOURCE13}} #%%global bootcsvarm %%{expand:%%{SOURCE13}}
%global shimefiaa64 %{expand:%{SOURCE20}} %global shimefiaa64 %{expand:%{SOURCE20}}
%global shimefiia32 %{expand:%{SOURCE21}}
%global shimefix64 %{expand:%{SOURCE22}} %global shimefix64 %{expand:%{SOURCE22}}
#%%global shimefiarm %%{expand:%%{SOURCE23} #%%global shimefiarm %%{expand:%%{SOURCE23}
%global fbefiaa64 %{expand:%{SOURCE30}} %global shimveraa64 15-4.el8
%global fbefix64 %{expand:%{SOURCE32}} %global shimveria32 15-8.el8
#%%global fbefiarm %%{expand:%%{SOURCE33} %global shimverx64 15-8.el8
%global mmefiaa64 %{expand:%{SOURCE40}}
%global mmefix64 %{expand:%{SOURCE42}}
#%%global mmefiarm %%{expand:%%{SOURCE43}
%global shimveraa64 15.8-2.el9
%global shimverx64 15.8-2.el9
#%%global shimverarm 15-1.el8 #%%global shimverarm 15-1.el8
%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64 %global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
%global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32
%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64 %global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64
#%%global shimdirarm %%{_datadir}/shim/%%{shimverarm}/arm #%%global shimdirarm %%{_datadir}/shim/%%{shimverarm}/arm
%global unsignedaa64 shim-unsigned-aarch64 %global unsignedaa64 shim-unsigned-aarch64
%global unsignedia32 shim-unsigned-ia32
%global unsignedx64 shim-unsigned-x64 %global unsignedx64 shim-unsigned-x64
#%%global unsignedarm shim-unsigned-arm #%%global unsignedarm shim-unsigned-arm
@ -41,10 +36,6 @@
%global shimveralt %{expand:%{shimver%{?efi_alt_arch}}} %global shimveralt %{expand:%{shimver%{?efi_alt_arch}}}
%global shimdir %{expand:%{shimdir%{efi_arch}}} %global shimdir %{expand:%{shimdir%{efi_arch}}}
%global shimdiralt %{expand:%{shimdir%{?efi_alt_arch}}} %global shimdiralt %{expand:%{shimdir%{?efi_alt_arch}}}
%global fbefi %{expand:%{fbefi%{efi_arch}}}
%global fbefialt %{expand:%{fbefi%{?efi_alt_arch}}}
%global mmefi %{expand:%{mmefi%{efi_arch}}}
%global mmefialt %{expand:%{mmefi%{?efi_alt_arch}}}
%global unsignednone shim-unsigned-none %global unsignednone shim-unsigned-none
%global unsigned %{expand:%%{unsigned%{efi_arch}}} %global unsigned %{expand:%%{unsigned%{efi_arch}}}
@ -57,7 +48,6 @@ Requires: mokutil >= 1:0.3.0-1 \
Requires: efi-filesystem \ Requires: efi-filesystem \
Provides: shim-signed-%{-a*} = %{version}-%{release} \ Provides: shim-signed-%{-a*} = %{version}-%{release} \
Requires: dbxtool >= 0.6-3 \ Requires: dbxtool >= 0.6-3 \
Conflicts: grub2-efi-%{-a*} < %{grub_version} \
%{expand:%%if 0%%{-p*} \ %{expand:%%if 0%%{-p*} \
Provides: shim = %{version}-%{release} \ Provides: shim = %{version}-%{release} \
Provides: shim-signed = %{version}-%{release} \ Provides: shim-signed = %{version}-%{release} \
@ -79,16 +69,14 @@ version signed by the UEFI signing service. \
# -a <efiarch> # -a <efiarch>
# -i <input> # -i <input>
%define hash(a:i:d:) \ %define hash(a:i:d:) \
if [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then \
pesign -i %{-i*} -h -P > shim.hash \ pesign -i %{-i*} -h -P > shim.hash \
read file0 hash0 < shim.hash \ read file0 hash0 < shim.hash \
read file1 hash1 < %{-d*}/shim%{-a*}.hash \ read file1 hash1 < %{-d*}/shim%{-a*}.hash \
if ! [ "$hash0" = "$hash1" ] ; then \ if ! [ "$hash0" = "$hash1" ]; then \
echo Invalid signature\! > /dev/stderr \ echo Invalid signature\! > /dev/stderr \
echo $hash0 vs $hash1 \ echo $hash0 vs $hash1 \
exit 1 \ exit 1 \
fi \ fi \
fi \
%{nil} %{nil}
# -i <input> # -i <input>
@ -101,24 +89,8 @@ version signed by the UEFI signing service. \
# -a <efiarch> # -a <efiarch>
# -i <input> # -i <input>
%define distrosign(b:a:d:) \ %define distrosign(b:a:d:) \
if [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then \
if [ "%{-b*}%{-a*}" = "shim%{efi_arch}" ] ; then \
cp -av "%{shimefi}" %{-b*}%{-a*}-unsigned.efi \
elif [ "%{-b*}%{-a*}" = "shim%{efi_alt_arch}" ] ; then \
cp -av "%{shimefialt}" %{-b*}%{-a*}-unsigned.efi \
elif [ "%{-b*}%{-a*}" = "mm%{efi_arch}" ] ; then \
cp -av "%{mmefi}" %{-b*}%{-a*}-unsigned.efi \
elif [ "%{-b*}%{-a*}" = "mm%{efi_alt_arch}" ] ; then \
cp -av "%{mmefialt}" %{-b*}%{-a*}-unsigned.efi \
elif [ "%{-b*}%{-a*}" = "fb%{efi_arch}" ] ; then \
cp -av "%{fbefi}" %{-b*}%{-a*}-unsigned.efi \
elif [ "%{-b*}%{-a*}" = "fb%{efi_alt_arch}" ] ; then \
cp -av "%{fbefialt}" %{-b*}%{-a*}-unsigned.efi \
fi \
else \
cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi \ cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi \
fi \ %{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n centossecureboot201 -a %{SOURCE2} -c %{SOURCE1} }\
%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n redhatsecureboot501 -a %{SOURCE2} -c %{SOURCE1} } \
%{nil} %{nil}
# -a <efiarch> # -a <efiarch>
@ -126,18 +98,16 @@ version signed by the UEFI signing service. \
# -b <1|0> # signed by this builder? # -b <1|0> # signed by this builder?
# -c <1|0> # signed by UEFI CA? # -c <1|0> # signed by UEFI CA?
# -i <shimARCH.efi> # -i <shimARCH.efi>
# -d /usr/share dir for this build (full path)
%define define_build(a:A:b:c:i:d:) \ %define define_build(a:A:b:c:i:d:) \
if [ "%{-c*}" = "yes-temporarily-disabled-20180723" ]; then \ if [ "%{-c*}" = "yes-temporarily-disabled-20180723" ]; then \
%{expand:%%hash -i %{-i*} -a %{-a*} -d %{-d*}} \ %{expand:%%hash -i %{-i*} -a %{-a*} -d %{-d*}} \
fi \ fi \
cp %{-i*} shim%{-a*}.efi \ cp %{-i*} shim%{-a*}.efi \
if [ "%{-b*}" = "yes" ] ; then \ if [ "%{-b*}" = "yes" ]; then \
%{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}} \ %{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}} \
mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi \ mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi \
fi \ fi \
if [ "%{-c*}" = "no" ] || \ if [ "%{-c*}" = "no" ]; then \
[ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then \
cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi \ cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi \
fi \ fi \
%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}} \ %{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}} \
@ -172,15 +142,15 @@ install -m 0700 fb%{-a*}.efi \\\
# -A <EFIARCH> # -A <EFIARCH>
%define define_files(a:A:) \ %define define_files(a:A:) \
%{expand:%%files -n shim-%{-a*}} \ %{expand:%%files -n shim-%{-a*}} \
%%verify(not mtime) %{efi_esp_dir}/*%{-a*}*.efi \ %{efi_esp_dir}/*%{-a*}*.efi \
%%verify(not mtime) %{efi_esp_dir}/BOOT%{-A*}.CSV \ %{efi_esp_dir}/BOOT%{-A*}.CSV \
%%verify(not mtime) %{efi_esp_boot}/*%{-a*}.efi \ %{efi_esp_boot}/*%{-a*}.efi \
%%verify(not mtime) %{efi_esp_boot}/*%{-A*}.EFI \ %{efi_esp_boot}/*%{-A*}.EFI \
%{nil} %{nil}
%ifarch x86_64 %ifarch x86_64
%global is_signed yes %global is_signed yes
%global is_alt_signed no %global is_alt_signed yes
%global provide_legacy_shim 1 %global provide_legacy_shim 1
%endif %endif
%ifarch aarch64 %ifarch aarch64

94
SPECS/shim.spec
Unescape View File

@ -1,49 +1,48 @@
Name: shim Name: shim
Version: 15.8 Version: 15
Release: 4%{?dist} Release: 15%{?dist}
Summary: First-stage UEFI bootloader Summary: First-stage UEFI bootloader
License: BSD License: BSD
URL: https://github.com/rhboot/shim/ URL: https://github.com/rhboot/shim/
BuildRequires: efi-filesystem BuildRequires: efi-filesystem
BuildRequires: efi-srpm-macros >= 6 BuildRequires: efi-srpm-macros >= 3-2
ExclusiveArch: %{efi} ExclusiveArch: %{efi}
# but we don't build a .i686 package, just a shim-ia32.x86_64 package
ExcludeArch: %{ix86}
# and we don't have shim-unsigned-arm builds *yet* # and we don't have shim-unsigned-arm builds *yet*
ExcludeArch: %{arm} %{ix86} ExcludeArch: %{arm}
Source0: shim.rpmmacros Source0: shim.rpmmacros
Source1: redhatsecureboot501.cer Source1: centossecureboot201.crt
Source2: redhatsecurebootca5.cer Source2: centossecurebootca2.crt
# keep these two lists of sources synched up arch-wise. That is 0 and 10 # keep these two lists of sources synched up arch-wise. That is 0 and 10
# match, 1 and 11 match, ... # match, 1 and 11 match, ...
Source10: BOOTAA64.CSV Source10: BOOTAA64.CSV
Source20: shimaa64.efi Source20: shimaa64.efi
Source30: mmaa64.efi Source11: BOOTIA32.CSV
Source40: fbaa64.efi Source21: shimia32.efi
Source12: BOOTX64.CSV Source12: BOOTX64.CSV
Source22: shimx64.efi Source22: shimx64.efi
Source32: mmx64.efi
Source42: fbx64.efi
#Source13: BOOTARM.CSV #Source13: BOOTARM.CSV
#Source23: shimarm.efi #Source23: shimarm.efi
#Source33: mmarm.efi
#Source43: fbarm.efi
%include %{SOURCE0} %include %{SOURCE0}
BuildRequires: pesign >= 0.112-20.fc27 BuildRequires: pesign >= 0.112-20.fc27
# Right now we're just including all of the parts from them as sources here # We need this because %%{efi} won't expand before choosing where to make
# to make the build+errata process less maddening. We do this because # the src.rpm in koji, and we could be on a non-efi architecture, in which
# %%{efi} won't expand before choosing where to make the src.rpm in koji, # case we won't have a valid expansion here... To be solved in the future
# and we could be on a non-efi architecture, in which case we won't have a # (shim 16+) by making the unsigned packages all provide "shim-unsigned", so
# valid expansion here... # we can just BuildRequires that.
#%% ifarch x86_64 %ifarch x86_64
#BuildRequires: %% {unsignedx64} = %% {shimverx64} BuildRequires: %{unsignedx64} = %{shimverx64}
#%% endif BuildRequires: %{unsignedia32} = %{shimveria32}
#%% ifarch aarch64 %endif
#BuildRequires: %% {unsignedaa64} = %% {shimveraa64} %ifarch aarch64
#%% endif BuildRequires: %{unsignedaa64} = %{shimveraa64}
%endif
#%%ifarch arm #%%ifarch arm
#BuildRequires: %%{unsignedarm} = %%{shimverarm} #BuildRequires: %%{unsignedarm} = %%{shimverarm}
#%%endif #%%endif
@ -64,14 +63,12 @@ rm -rf shim-%{version}
mkdir shim-%{version} mkdir shim-%{version}
%build %build
export PS4='${LINENO}: '
cd shim-%{version} cd shim-%{version}
%if %{efi_has_alt_arch} %if %{efi_has_alt_arch}
%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{shimdiralt} %define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{shimdiralt}
%endif %endif
# Temporarily using _sourcedir to avoid build dep annoyances. %define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{shimdir}
%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{_sourcedir}
%install %install
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
@ -100,45 +97,24 @@ install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
%endif %endif
%if %{provide_legacy_shim} %if %{provide_legacy_shim}
%verify(not mtime) %{efi_esp_dir}/shim.efi %{efi_esp_dir}/shim.efi
%endif %endif
%changelog %changelog
* Tue Apr 16 2024 Peter Jones <pjones@redhat.com> - 15.8-4
- Rebuild to work around build system quirks.
Related: RHEL-11262
* Wed Apr 03 2024 Peter Jones <pjones@redhat.com> - 15.8-3.el9
- Fix rpm verification due to mtime granularity on FAT.
Related: RHEL-11262
* Thu Mar 21 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el9
- Add the grub2-efi-ARCH conflict for SBAT.
Resolves: RHEL-11262
* Thu Mar 21 2024 Peter Jones <pjones@redhat.com> - 15.8-1.el9
- Update to shim-15.8 for CVE-2023-40547
Resolves: RHEL-11262
* Thu Apr 14 2022 Peter Jones <pjones@redhat.com> - 15.5-2.el9
- Attempt to make aarch64 build.
Related: rhbz#1932057
* Thu Apr 14 2022 Peter Jones <pjones@redhat.com> - 15.5-1.el9
- Rebuild for rhel-9.0.0
Resolves: rhbz#1932057
* Mon Sep 21 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-16
- Fix an incorrect allocation size
* Fri Jul 31 2020 Peter Jones <pjones@redhat.com> - 15-15 * Fri Jul 31 2020 Peter Jones <pjones@redhat.com> - 15-15
- Update once again for new signed shim builds. - Update once again for new signed shim builds.
Resolves: rhbz#1862232
* Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-14 * Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-14
- Get rid of our %%dist hack for now. - Get rid of our %dist hack for now.
* Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-13 * Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-13
- New signing keys - New signing keys
Related: CVE-2020-10713
Related: CVE-2020-14308
Related: CVE-2020-14309
Related: CVE-2020-14310
Related: CVE-2020-14311
* Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-12 * Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-12
- Fix firmware update bug in aarch64 caused by shim ignoring arguments - Fix firmware update bug in aarch64 caused by shim ignoring arguments
@ -146,25 +122,33 @@ install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
* Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-11 * Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-11
- Update the shim-unsigned-aarch64 version number - Update the shim-unsigned-aarch64 version number
Related: rhbz#1715879
* Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-10 * Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-10
- Add a gating.yaml file so the package can be properly gated - Add a gating.yaml file so the package can be properly gated
Related: rhbz#1681809
* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-9 * Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-9
- Bump the NVR - Bump the NVR
Related: rhbz#1715879
* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-7 * Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-7
- Make EFI variable copying fatal only on secureboot enabled systems - Make EFI variable copying fatal only on secureboot enabled systems
Resolves: rhbz#1715879
- Fix booting shim from an EFI shell using a relative path - Fix booting shim from an EFI shell using a relative path
Resolves: rhbz#1717061
* Thu Mar 14 2019 Peter Jones <pjones@redhat.com> - 15-6 * Thu Mar 14 2019 Peter Jones <pjones@redhat.com> - 15-6
- Fix MoK mirroring issue which breaks kdump without intervention - Fix MoK mirroring issue which breaks kdump without intervention
Resolves: rhbz#1668966
* Thu Jan 24 2019 Peter Jones <pjones@redhat.com> - 15-5 * Thu Jan 24 2019 Peter Jones <pjones@redhat.com> - 15-5
- Rebuild for signing once again. If the signer actually works, then: - Rebuild for signing once again. If the signer actually works, then:
Resolves: rhbz#1620941
* Tue Oct 16 2018 Peter Jones <pjones@redhat.com> - 15-4 * Tue Oct 16 2018 Peter Jones <pjones@redhat.com> - 15-4
- Rebuild for signing - Rebuild for signing
Resolves: rhbz#1620941
* Mon Aug 13 2018 Troy Dawson <tdawson@redhat.com> * Mon Aug 13 2018 Troy Dawson <tdawson@redhat.com>
- Release Bumped for el8 Mass Rebuild - Release Bumped for el8 Mass Rebuild

Write Preview
Loading…
Cancel
Save