|
|
3bee5b |
Name: shim-signed
|
|
|
f928ec |
Version: 15
|
|
|
071877 |
Release: 2%{?dist}%{?buildid}
|
|
|
3bee5b |
Summary: First-stage UEFI bootloader
|
|
|
f6e3e1 |
%define unsigned_release 5%{?dist}
|
|
|
3bee5b |
|
|
|
3bee5b |
License: BSD
|
|
|
f928ec |
URL: https://github.com/rhboot/shim/
|
|
|
5cf28a |
# incorporate mokutil for packaging simplicity
|
|
|
89397c |
%global mokutil_version 0.3.0
|
|
|
5cf28a |
Source0: https://github.com/lcp/mokutil/archive/mokutil-%{mokutil_version}.tar.gz
|
|
|
f6e3e1 |
Source1: secureboot.cer
|
|
|
f6e3e1 |
Source2: securebootca.cer
|
|
|
f928ec |
Source10: shimx64.efi
|
|
|
f928ec |
Source11: shimia32.efi
|
|
|
f928ec |
Source12: shimaa64.efi
|
|
|
f928ec |
Source20: BOOTX64.CSV
|
|
|
f928ec |
Source21: BOOTIA32.CSV
|
|
|
f928ec |
Source22: BOOTAA64.CSV
|
|
|
f928ec |
|
|
|
89397c |
Patch0001: 0001-Fix-the-potential-buffer-overflow.patch
|
|
|
89397c |
Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch
|
|
|
89397c |
Patch0003: 0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
|
|
|
89397c |
Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
|
|
|
89397c |
Patch0005: 0005-Make-all-efi_guid_t-const.patch
|
|
|
89397c |
Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
|
|
|
89397c |
Patch0007: 0007-Add-bash-completion-file.patch
|
|
|
f928ec |
Patch0008: 0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
|
|
|
f928ec |
Patch0009: 0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
|
|
|
f928ec |
Patch0010: 0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
|
|
|
5cf28a |
|
|
|
5cf28a |
%ifarch x86_64
|
|
|
5cf28a |
%global efiarch X64
|
|
|
5cf28a |
%global efiarchlc x64
|
|
|
89397c |
%global shimsrc %{SOURCE10}
|
|
|
89397c |
%global bootsrc %{SOURCE20}
|
|
|
89397c |
|
|
|
89397c |
%global shimsrcia32 %{SOURCE11}
|
|
|
89397c |
%global bootsrcia32 %{SOURCE21}
|
|
|
89397c |
%define unsigned_dir_ia32 %{_datadir}/shim/ia32-%{version}-%{unsigned_release}/
|
|
|
5cf28a |
%endif
|
|
|
5cf28a |
%ifarch aarch64
|
|
|
5cf28a |
%global efiarch AA64
|
|
|
5cf28a |
%global efiarchlc aa64
|
|
|
f928ec |
%global shimsrc %{SOURCE12}
|
|
|
89397c |
%global bootsrc %{SOURCE22}
|
|
|
5cf28a |
%endif
|
|
|
5cf28a |
%define unsigned_dir %{_datadir}/shim/%{efiarchlc}-%{version}-%{unsigned_release}/
|
|
|
3bee5b |
|
|
|
5cf28a |
BuildRequires: git
|
|
|
5cf28a |
BuildRequires: openssl-devel openssl
|
|
|
3bee5b |
BuildRequires: pesign >= 0.106-5%{dist}
|
|
|
5cf28a |
BuildRequires: efivar-devel
|
|
|
89397c |
BuildRequires: shim-unsigned-%{efiarchlc} = %{version}-%{unsigned_release}
|
|
|
89397c |
%ifarch x86_64
|
|
|
89397c |
BuildRequires: shim-unsigned-ia32 = %{version}-%{unsigned_release}
|
|
|
89397c |
%endif
|
|
|
5cf28a |
|
|
|
5cf28a |
# for mokutil's configure
|
|
|
5cf28a |
BuildRequires: autoconf automake
|
|
|
3bee5b |
|
|
|
3bee5b |
# Shim is only required on platforms implementing the UEFI secure boot
|
|
|
3bee5b |
# protocol. The only one of those we currently wish to support is 64-bit x86.
|
|
|
3bee5b |
# Adding further platforms will require adding appropriate relocation code.
|
|
|
68c47f |
ExclusiveArch: x86_64 aarch64
|
|
|
3bee5b |
|
|
|
5cf28a |
%define debug_package \
|
|
|
5cf28a |
%ifnarch noarch\
|
|
|
5cf28a |
%global __debug_package 1\
|
|
|
5cf28a |
%package -n mokutil-debuginfo\
|
|
|
5cf28a |
Summary: Debug information for package %{name}\
|
|
|
5cf28a |
Group: Development/Debug\
|
|
|
5cf28a |
AutoReqProv: 0\
|
|
|
5cf28a |
%description -n mokutil-debuginfo\
|
|
|
5cf28a |
This package provides debug information for package %{name}.\
|
|
|
5cf28a |
Debug information is useful when developing applications that use this\
|
|
|
5cf28a |
package or when debugging this package.\
|
|
|
5cf28a |
%files -n mokutil-debuginfo -f debugfiles.list\
|
|
|
f928ec |
%defattr(-,root,root,-)\
|
|
|
5cf28a |
%endif\
|
|
|
5cf28a |
%{nil}
|
|
|
3bee5b |
|
|
|
3bee5b |
# Figure out the right file path to use
|
|
|
5cf28a |
%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
|
|
|
3bee5b |
|
|
|
68c47f |
%define ca_signed_arches x86_64
|
|
|
68c47f |
%define rh_signed_arches x86_64 aarch64
|
|
|
68c47f |
|
|
|
3bee5b |
%description
|
|
|
3bee5b |
Initial UEFI bootloader that handles chaining to a trusted full bootloader
|
|
|
3bee5b |
under secure boot environments. This package contains the version signed by
|
|
|
3bee5b |
the UEFI signing service.
|
|
|
3bee5b |
|
|
|
89397c |
%package -n shim-%{efiarchlc}
|
|
|
89397c |
Summary: First-stage UEFI bootloader
|
|
|
89397c |
Requires: mokutil = %{version}-%{release}
|
|
|
89397c |
Provides: shim = %{version}-%{release}
|
|
|
f928ec |
Obsoletes: shim <= 12
|
|
|
89397c |
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
|
|
|
89397c |
# compatible with SysV (there's no red zone under UEFI) and there isn't a
|
|
|
89397c |
# POSIX-style C library.
|
|
|
89397c |
# BuildRequires: OpenSSL
|
|
|
89397c |
Provides: bundled(openssl) = 0.9.8zb
|
|
|
89397c |
|
|
|
89397c |
%description -n shim-%{efiarchlc}
|
|
|
89397c |
Initial UEFI bootloader that handles chaining to a trusted full bootloader
|
|
|
89397c |
under secure boot environments. This package contains the version signed by
|
|
|
89397c |
the UEFI signing service.
|
|
|
89397c |
|
|
|
89397c |
%ifarch x86_64
|
|
|
89397c |
%package -n shim-ia32
|
|
|
3bee5b |
Summary: First-stage UEFI bootloader
|
|
|
5cf28a |
Requires: mokutil = %{version}-%{release}
|
|
|
89397c |
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
|
|
|
89397c |
# compatible with SysV (there's no red zone under UEFI) and there isn't a
|
|
|
89397c |
# POSIX-style C library.
|
|
|
89397c |
# BuildRequires: OpenSSL
|
|
|
89397c |
Provides: bundled(openssl) = 0.9.8zb
|
|
|
3bee5b |
|
|
|
89397c |
%description -n shim-ia32
|
|
|
3bee5b |
Initial UEFI bootloader that handles chaining to a trusted full bootloader
|
|
|
3bee5b |
under secure boot environments. This package contains the version signed by
|
|
|
3bee5b |
the UEFI signing service.
|
|
|
89397c |
%endif
|
|
|
3bee5b |
|
|
|
5cf28a |
%package -n mokutil
|
|
|
5cf28a |
Summary: Utilities for managing Secure Boot/MoK keys.
|
|
|
5cf28a |
|
|
|
5cf28a |
%description -n mokutil
|
|
|
5cf28a |
Utilities for managing the "Machine's Own Keys" list.
|
|
|
5cf28a |
|
|
|
3bee5b |
%prep
|
|
|
89397c |
%setup -T -q -a 0 -n shim-signed-%{version} -c
|
|
|
5cf28a |
git init
|
|
|
5cf28a |
git config user.email "example@example.com"
|
|
|
5cf28a |
git config user.name "rpmbuild -bp"
|
|
|
5cf28a |
git add .
|
|
|
5cf28a |
git commit -a -q -m "%{version} baseline."
|
|
|
89397c |
cd mokutil-%{mokutil_version}
|
|
|
89397c |
git am --ignore-whitespace --directory=mokutil-%{mokutil_version} %{patches}
|
|
|
5cf28a |
git config --unset user.email
|
|
|
5cf28a |
git config --unset user.name
|
|
|
89397c |
cd ..
|
|
|
3bee5b |
|
|
|
3bee5b |
%build
|
|
|
3bee5b |
%define vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
|
|
|
3bee5b |
%define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
|
|
|
3bee5b |
|
|
|
68c47f |
%ifarch %{ca_signed_arches}
|
|
|
89397c |
pesign -i %{shimsrc} -h -P > shim%{efiarchlc}.hash
|
|
|
89397c |
if ! cmp shim%{efiarchlc}.hash %{unsigned_dir}shim%{efiarchlc}.hash ; then
|
|
|
f928ec |
echo Invalid signature\! > /dev/stderr
|
|
|
f928ec |
echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr
|
|
|
f928ec |
echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr
|
|
|
f928ec |
exit 1
|
|
|
89397c |
fi
|
|
|
89397c |
cp %{shimsrc} shim%{efiarchlc}.efi
|
|
|
89397c |
%ifarch x86_64
|
|
|
89397c |
pesign -i %{shimsrcia32} -h -P > shimia32.hash
|
|
|
89397c |
if ! cmp shimia32.hash %{unsigned_dir_ia32}shimia32.hash ; then
|
|
|
f928ec |
echo Invalid signature\! > /dev/stderr
|
|
|
f928ec |
echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr
|
|
|
f928ec |
echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr
|
|
|
f928ec |
exit 1
|
|
|
3bee5b |
fi
|
|
|
89397c |
cp %{shimsrcia32} shimia32.efi
|
|
|
89397c |
%endif
|
|
|
68c47f |
%endif
|
|
|
68c47f |
%ifarch %{rh_signed_arches}
|
|
|
f6e3e1 |
%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 -o shim%{efiarchlc}-%{efidir}.efi
|
|
|
89397c |
%ifarch x86_64
|
|
|
f6e3e1 |
%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 -o shimia32-%{efidir}.efi
|
|
|
89397c |
%endif
|
|
|
68c47f |
%endif
|
|
|
68c47f |
%ifarch %{rh_signed_arches}
|
|
|
68c47f |
%ifnarch %{ca_signed_arches}
|
|
|
89397c |
cp shim%{efiarchlc}-%{efidir}.efi shim%{efiarchlc}.efi
|
|
|
68c47f |
%endif
|
|
|
68c47f |
%endif
|
|
|
68c47f |
|
|
|
f6e3e1 |
%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301
|
|
|
f6e3e1 |
%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301
|
|
|
89397c |
|
|
|
89397c |
%ifarch x86_64
|
|
|
f6e3e1 |
%pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301
|
|
|
f6e3e1 |
%pesign -s -i %{unsigned_dir_ia32}fbia32.efi -o fbia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301
|
|
|
89397c |
%endif
|
|
|
5cf28a |
|
|
|
5cf28a |
cd mokutil-%{mokutil_version}
|
|
|
5cf28a |
./autogen.sh
|
|
|
5cf28a |
%configure
|
|
|
5cf28a |
make %{?_smp_mflags}
|
|
|
3bee5b |
|
|
|
3bee5b |
%install
|
|
|
3bee5b |
rm -rf $RPM_BUILD_ROOT
|
|
|
f928ec |
install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
|
|
|
f928ec |
install -m 0700 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
|
|
|
f928ec |
install -m 0700 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
|
|
|
f928ec |
install -m 0700 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
|
|
|
f928ec |
install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
|
|
|
f928ec |
|
|
|
f928ec |
install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/
|
|
|
f928ec |
install -m 0700 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI
|
|
|
f928ec |
install -m 0700 fb%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fb%{efiarchlc}.efi
|
|
|
89397c |
|
|
|
89397c |
%ifarch aarch64
|
|
|
89397c |
# In case old boot entries aren't updated
|
|
|
f928ec |
install -m 0700 %{shimsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
|
|
|
89397c |
%endif
|
|
|
89397c |
|
|
|
89397c |
%ifarch x86_64
|
|
|
89397c |
# In case old boot entries aren't updated
|
|
|
f928ec |
install -m 0700 shimx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
|
|
|
f928ec |
install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV
|
|
|
89397c |
|
|
|
f928ec |
install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
|
|
|
f928ec |
install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
|
|
|
f928ec |
install -m 0700 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
|
|
|
f928ec |
install -m 0700 mmia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmia32.efi
|
|
|
f928ec |
install -m 0700 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.CSV
|
|
|
89397c |
|
|
|
f928ec |
install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTIA32.EFI
|
|
|
f928ec |
install -m 0700 fbia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbia32.efi
|
|
|
89397c |
%endif
|
|
|
3bee5b |
|
|
|
5cf28a |
cd mokutil-%{mokutil_version}
|
|
|
5cf28a |
make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
|
|
|
5cf28a |
|
|
|
89397c |
%files -n shim-%{efiarchlc}
|
|
|
f928ec |
%defattr(0700,root,root,-)
|
|
|
f6e3e1 |
%verify(not mtime) /boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
|
|
|
f6e3e1 |
%verify(not mtime) /boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
|
|
|
f6e3e1 |
%verify(not mtime) /boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
|
|
|
f6e3e1 |
%verify(not mtime) /boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
|
|
|
f6e3e1 |
%verify(not mtime) /boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI
|
|
|
f6e3e1 |
%verify(not mtime) /boot/efi/EFI/BOOT/fb%{efiarchlc}.efi
|
|
|
f6e3e1 |
%verify(not mtime) /boot/efi/EFI/%{efidir}/shim.efi
|
|
|
89397c |
|
|
|
89397c |
%ifarch x86_64
|
|
|
f6e3e1 |
%verify(not mtime) /boot/efi/EFI/%{efidir}/BOOT.CSV
|
|
|
89397c |
|
|
|
89397c |
%files -n shim-ia32
|
|
|
f928ec |
%defattr(0700,root,root,-)
|
|
|
f6e3e1 |
%verify(not mtime) /boot/efi/EFI/%{efidir}/shimia32.efi
|
|
|
f6e3e1 |
%verify(not mtime) /boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
|
|
|
f6e3e1 |
%verify(not mtime) /boot/efi/EFI/%{efidir}/mmia32.efi
|
|
|
f6e3e1 |
%verify(not mtime) /boot/efi/EFI/%{efidir}/BOOTIA32.CSV
|
|
|
f6e3e1 |
%verify(not mtime) /boot/efi/EFI/BOOT/BOOTIA32.EFI
|
|
|
f6e3e1 |
%verify(not mtime) /boot/efi/EFI/BOOT/fbia32.efi
|
|
|
89397c |
%endif
|
|
|
3bee5b |
|
|
|
5cf28a |
%files -n mokutil
|
|
|
5cf28a |
%{!?_licensedir:%global license %%doc}
|
|
|
5cf28a |
%license mokutil-%{mokutil_version}/COPYING
|
|
|
5cf28a |
%doc mokutil-%{mokutil_version}/README
|
|
|
5cf28a |
%{_bindir}/mokutil
|
|
|
5cf28a |
%{_mandir}/man1/*
|
|
|
89397c |
%{_datadir}/bash-completion/completions/mokutil
|
|
|
5cf28a |
|
|
|
3bee5b |
%changelog
|
|
|
f6e3e1 |
* Thu Mar 21 2019 Peter Jones <pjones@redhat.com> - 15-2
|
|
|
f6e3e1 |
- Fix MoK mirroring issue which breaks kdump without intervention
|
|
|
f6e3e1 |
Related: rhbz#1649270
|
|
|
5aa06c |
|
|
|
f928ec |
* Fri Jul 20 2018 Peter Jones <pjones@redhat.com> - 15-1
|
|
|
f928ec |
- Update to shim version 15
|
|
|
f928ec |
Resolves: rhbz#1589962
|
|
|
f928ec |
|
|
|
f928ec |
* Wed Jul 11 2018 Peter Jones <pjones@redhat.com> - 12-3
|
|
|
f928ec |
- Fix broken file owner/modes
|
|
|
f928ec |
Resolves: rhbz#1595677
|
|
|
f928ec |
|
|
|
f928ec |
* Sat Jun 23 2018 Peter Jones <pjones@redhat.com> - 12-2
|
|
|
f928ec |
- Fix /boot/efi/... permissions to match the filesystem's requirements
|
|
|
f928ec |
Related: rhbz#1512749
|
|
|
f928ec |
- Minor .spec cleanups
|
|
|
f928ec |
Related: rhbz#1512749
|
|
|
f42455 |
|
|
|
89397c |
* Mon May 01 2017 Peter Jones <pjones@redhat.com> - 12-1
|
|
|
89397c |
- Update to 12-1 to work around a signtool.exe bug
|
|
|
89397c |
Resolves: rhbz#1445393
|
|
|
89397c |
|
|
|
89397c |
* Mon Apr 24 2017 Peter Jones <pjones@redhat.com> - 11-4
|
|
|
89397c |
- Another shot at better obsoletes.
|
|
|
89397c |
Related: rhbz#1310764
|
|
|
89397c |
|
|
|
89397c |
* Mon Apr 24 2017 Peter Jones <pjones@redhat.com> - 11-3
|
|
|
89397c |
- Fix Obsoletes
|
|
|
89397c |
Related: rhbz#1310764
|
|
|
89397c |
|
|
|
89397c |
* Thu Apr 13 2017 Peter Jones <pjones@redhat.com> - 11-2
|
|
|
89397c |
- Make sure Aarch64 still has shim.efi as well
|
|
|
89397c |
Related: rhbz#1310766
|
|
|
89397c |
|
|
|
89397c |
* Wed Apr 12 2017 Peter Jones <pjones@redhat.com> - 11-1
|
|
|
89397c |
- Rebuild with signed shim
|
|
|
89397c |
Related: rhbz#1310766
|
|
|
89397c |
|
|
|
89397c |
* Mon Apr 03 2017 Peter Jones <pjones@redhat.com> - 11-0.1
|
|
|
89397c |
- Update to 11-0.1 to match shim-11-1
|
|
|
89397c |
Related: rhbz#1310766
|
|
|
89397c |
- Fix regression in PE loader
|
|
|
89397c |
Related: rhbz#1310766
|
|
|
89397c |
- Fix case where BDS invokes us wrong and we exec shim again as a result
|
|
|
89397c |
Related: rhbz#1310766
|
|
|
89397c |
|
|
|
89397c |
* Mon Mar 27 2017 Peter Jones <pjones@redhat.com> - 10-0.1
|
|
|
89397c |
- Support ia32
|
|
|
89397c |
Resolves: rhbz#1310766
|
|
|
89397c |
- Handle various different load option implementation differences
|
|
|
89397c |
- TPM 1 and TPM 2 support.
|
|
|
89397c |
- Update to OpenSSL 1.0.2k
|
|
|
89397c |
|
|
|
5cf28a |
* Mon Jul 20 2015 Peter Jones <pjones@redhat.com> - 0.9-2
|
|
|
5cf28a |
- Apparently I'm *never* going to learn to build this in the right target
|
|
|
5cf28a |
the first time through.
|
|
|
5cf28a |
Related: rhbz#1100048
|
|
|
5cf28a |
|
|
|
5cf28a |
* Mon Jun 29 2015 Peter Jones <pjones@redhat.com> - 0.9-0.1
|
|
|
5cf28a |
- Bump version for 0.9
|
|
|
5cf28a |
Also use mokutil-0.3.0
|
|
|
5cf28a |
Related: rhbz#1100048
|
|
|
5cf28a |
|
|
|
5cf28a |
* Tue Jun 23 2015 Peter Jones <pjones@redhat.com> - 0.7-14.1
|
|
|
5cf28a |
- Fix mokutil_version usage.
|
|
|
5cf28a |
Related: rhbz#1100048
|
|
|
5cf28a |
|
|
|
5cf28a |
* Mon Jun 22 2015 Peter Jones <pjones@redhat.com> - 0.7-14
|
|
|
5cf28a |
- Pull in aarch64 build so they can compose that tree.
|
|
|
5cf28a |
(-14 to match -unsigned)
|
|
|
5cf28a |
Related: rhbz#1100048
|
|
|
5cf28a |
|
|
|
5cf28a |
* Wed Feb 25 2015 Peter Jones <pjones@redhat.com> - 0.7-12
|
|
|
5cf28a |
- Fix some minor build bugs on Aarch64
|
|
|
5cf28a |
Related: rhbz#1190191
|
|
|
5cf28a |
|
|
|
5cf28a |
* Tue Feb 24 2015 Peter Jones <pjones@redhat.com> - 0.7-11
|
|
|
5cf28a |
- Fix section loading on Aarch64
|
|
|
5cf28a |
Related: rhbz#1190191
|
|
|
5cf28a |
|
|
|
5cf28a |
* Wed Dec 17 2014 Peter Jones <pjones@redhat.com> - 0.7-10
|
|
|
5cf28a |
- Rebuild for Aarch64 to get \EFI\BOOT\BOOTAA64.EFI named right.
|
|
|
5cf28a |
(I managed to fix the inputs but not the outputs in -9.)
|
|
|
5cf28a |
Related: rhbz#1100048
|
|
|
5cf28a |
|
|
|
5cf28a |
* Wed Dec 17 2014 Peter Jones <pjones@redhat.com> - 0.7-9
|
|
|
5cf28a |
- Rebuild for Aarch64 to get \EFI\BOOT\BOOTAA64.EFI named right.
|
|
|
5cf28a |
Related: rhbz#1100048
|
|
|
5cf28a |
|
|
|
5cf28a |
* Tue Oct 21 2014 Peter Jones <pjones@redhat.com> - 0.7-8
|
|
|
5cf28a |
- Build for aarch64 as well
|
|
|
5cf28a |
Related: rhbz#1100048
|
|
|
68c47f |
- out-of-bounds memory read flaw in DHCPv6 packet processing
|
|
|
68c47f |
Resolves: CVE-2014-3675
|
|
|
68c47f |
- heap-based buffer overflow flaw in IPv6 address parsing
|
|
|
68c47f |
Resolves: CVE-2014-3676
|
|
|
68c47f |
- memory corruption flaw when processing Machine Owner Keys (MOKs)
|
|
|
68c47f |
Resolves: CVE-2014-3677
|
|
Karanbir Singh |
c49d55 |
|
|
|
5cf28a |
* Tue Sep 23 2014 Peter Jones <pjones@redhat.com> - 0.7-7
|
|
|
5cf28a |
- Make sure we use the right keys on Aarch64.
|
|
|
5cf28a |
(It's only a demo at this stage.)
|
|
|
5cf28a |
Related: rhbz#1100048
|
|
|
5cf28a |
|
|
|
5cf28a |
* Tue Sep 23 2014 Peter Jones <pjones@redhat.com> - 0.7-6
|
|
|
5cf28a |
- Add ARM Aarch64.
|
|
|
5cf28a |
Related: rhbz#1100048
|
|
|
5cf28a |
|
|
|
409188 |
* Thu Feb 27 2014 Peter Jones <pjones@redhat.com> - 0.7-5.2
|
|
|
409188 |
- Get the right signatures on shim-redhat.efi
|
|
|
409188 |
Related: rhbz#1064449
|
|
|
409188 |
|
|
|
409188 |
* Thu Feb 27 2014 Peter Jones <pjones@redhat.com> - 0.7-5.1
|
|
|
409188 |
- Update for signed shim for RHEL 7
|
|
|
409188 |
Resolves: rhbz#1064449
|
|
|
409188 |
|
|
|
3bee5b |
* Thu Nov 21 2013 Peter Jones <pjones@redhat.com> - 0.7-5
|
|
|
3bee5b |
- Fix shim-unsigned deps.
|
|
|
3bee5b |
Related: rhbz#1032583
|
|
|
3bee5b |
|
|
|
3bee5b |
* Thu Nov 21 2013 Peter Jones <pjones@redhat.com> - 0.7-4
|
|
|
3bee5b |
- Make dhcp4 work better.
|
|
|
3bee5b |
Related: rhbz#1032583
|
|
|
3bee5b |
|
|
|
3bee5b |
* Thu Nov 14 2013 Peter Jones <pjones@redhat.com> - 0.7-3
|
|
|
3bee5b |
- Make lockdown include UEFI and other KEK/DB entries.
|
|
|
3bee5b |
Related: rhbz#1030492
|
|
|
3bee5b |
|
|
|
3bee5b |
* Fri Nov 08 2013 Peter Jones <pjones@redhat.com> - 0.7-2
|
|
|
3bee5b |
- Handle SetupMode better in lockdown as well
|
|
|
3bee5b |
Related: rhbz#996863
|
|
|
3bee5b |
|
|
|
3bee5b |
* Wed Nov 06 2013 Peter Jones <pjones@redhat.com> - 0.7-1
|
|
|
3bee5b |
- Don't treat SetupMode variable's presence as meaning we're in SetupMode.
|
|
|
3bee5b |
Related: rhbz#996863
|
|
|
3bee5b |
|
|
|
3bee5b |
* Wed Nov 06 2013 Peter Jones <pjones@redhat.com> - 0.6-3
|
|
|
3bee5b |
- Use the correct CA and signer certificates.
|
|
|
3bee5b |
Related: rhbz#996863
|
|
|
3bee5b |
|
|
|
3bee5b |
* Thu Oct 31 2013 Peter Jones <pjones@redhat.com> - 0.6-1
|
|
|
3bee5b |
- Update to 0.6-1
|
|
|
3bee5b |
Resolves: rhbz#1008379
|
|
|
3bee5b |
|
|
|
3bee5b |
* Wed Aug 07 2013 Peter Jones <pjones@redhat.com> - 0.4-3.2
|
|
|
3bee5b |
- Depend on newer pesign.
|
|
|
3bee5b |
Related: rhbz#989442
|
|
|
3bee5b |
|
|
|
3bee5b |
* Tue Aug 06 2013 Peter Jones <pjones@redhat.com> - 0.4-3.1
|
|
|
3bee5b |
- Rebuild with newer pesign
|
|
|
3bee5b |
Related: rhbz#989442
|
|
|
3bee5b |
|
|
|
3bee5b |
* Tue Aug 06 2013 Peter Jones <pjones@redhat.com> - 0.4-3
|
|
|
3bee5b |
- Update for RHEL signing with early test keys.
|
|
|
3bee5b |
Related: rhbz#989442
|
|
|
3bee5b |
|
|
|
3bee5b |
* Thu Jun 20 2013 Peter Jones <pjones@redhat.com> - 0.4-1
|
|
|
3bee5b |
- Provide a fallback for uninitialized Boot#### and BootOrder
|
|
|
3bee5b |
Resolves: rhbz#963359
|
|
|
3bee5b |
- Move all signing from shim-unsigned to here
|
|
|
3bee5b |
- properly compare our generated hash from shim-unsigned with the hash of
|
|
|
3bee5b |
the signed binary (as opposed to doing it manually)
|
|
|
3bee5b |
|
|
|
3bee5b |
* Fri May 31 2013 Peter Jones <pjones@redhat.com> - 0.2-4.4
|
|
|
3bee5b |
- Re-sign to get alignments that match the new specification.
|
|
|
3bee5b |
Resolves: rhbz#963361
|
|
|
3bee5b |
|
|
|
3bee5b |
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.2-4.3
|
|
|
3bee5b |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
|
|
|
3bee5b |
|
|
|
3bee5b |
* Wed Jan 02 2013 Peter Jones <pjones@redhat.com> - 0.2-3.3
|
|
|
3bee5b |
- Add obsoletes and provides for earlier shim-signed packages, to cover
|
|
|
3bee5b |
the package update cases where previous versions were installed.
|
|
|
3bee5b |
Related: rhbz#888026
|
|
|
3bee5b |
|
|
|
3bee5b |
* Mon Dec 17 2012 Peter Jones <pjones@redhat.com> - 0.2-3.2
|
|
|
3bee5b |
- Make the shim-unsigned dep be on the subpackage.
|
|
|
3bee5b |
|
|
|
3bee5b |
* Sun Dec 16 2012 Peter Jones <pjones@redhat.com> - 0.2-3.1
|
|
|
3bee5b |
- Rebuild to provide "shim" package directly instead of just as a Provides:
|
|
|
3bee5b |
|
|
|
3bee5b |
* Sat Dec 15 2012 Peter Jones <pjones@redhat.com> - 0.2-3
|
|
|
3bee5b |
- Also provide shim-fedora.efi, signed only by the fedora signer.
|
|
|
3bee5b |
- Fix the fedora signature on the result to actually be correct.
|
|
|
3bee5b |
- Update for shim-unsigned 0.2-3
|
|
|
3bee5b |
|
|
|
3bee5b |
* Mon Dec 03 2012 Peter Jones <pjones@redhat.com> - 0.2-2
|
|
|
3bee5b |
- Initial build
|