Name: shim-signed Version: 0.7 Release: 12%{?dist} Summary: First-stage UEFI bootloader Provides: shim = %{version}-%{release} %define unsigned_release 10%{?dist} ExclusiveArch: aarch64 License: BSD URL: http://www.codon.org.uk/~mjg59/shim/ Source0: BOOT.CSV Source1: shimx64.efi Source2: shimaa64.efi Source3: secureboot.cer Source4: securebootca.cer %ifarch x86_64 %global efiarch X64 %global shimsrc %{SOURCE1} %endif %ifarch aarch64 %global efiarch AA64 %global shimsrc %{SOURCE2} %endif BuildRequires: shim-unsigned = %{version}-%{unsigned_release} BuildRequires: pesign >= 0.106-5%{dist} # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not # compatible with SysV (there's no red zone under UEFI) and there isn't a # POSIX-style C library. # BuildRequires: OpenSSL Provides: bundled(openssl) = 0.9.8zb # Shim is only required on platforms implementing the UEFI secure boot # protocol. The only one of those we currently wish to support is 64-bit x86. # Adding further platforms will require adding appropriate relocation code. ExclusiveArch: x86_64 aarch64 %global debug_package %{nil} # Figure out the right file path to use %if 0%{?rhel} %global efidir redhat %endif %if 0%{?fedora} %global efidir fedora %endif %define ca_signed_arches x86_64 %define rh_signed_arches x86_64 aarch64 %description Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments. This package contains the version signed by the UEFI signing service. %package -n shim Summary: First-stage UEFI bootloader Requires: shim-unsigned = %{version}-%{unsigned_release} Requires: mokutil = %{version}-%{unsigned_release} Provides: shim-signed = %{version}-%{release} Obsoletes: shim-signed < %{version}-%{release} %description -n shim Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments. This package contains the version signed by the UEFI signing service. %prep cd %{_builddir} rm -rf shim-signed-%{version} mkdir shim-signed-%{version} %build %define vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}} %define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}} cd shim-signed-%{version} %ifarch %{ca_signed_arches} pesign -i %{shimsrc} -h -P > shim.hash if ! cmp shim.hash %{_datadir}/shim/shim.hash ; then echo Invalid signature\! > /dev/stderr exit 1 fi cp %{shimsrc} shim.efi %endif %ifarch %{rh_signed_arches} %pesign -s -i %{_datadir}/shim/shim.efi -a %{SOURCE4} -c %{SOURCE3} -n redhatsecureboot301 -o shim-%{efidir}.efi %endif %ifarch %{rh_signed_arches} %ifnarch %{ca_signed_arches} cp shim-%{efidir}.efi shim.efi %endif %endif %pesign -s -i %{_datadir}/shim/MokManager.efi -o MokManager.efi -a %{SOURCE4} -c %{SOURCE3} -n redhatsecureboot301 %pesign -s -i %{_datadir}/shim/fallback.efi -o fallback.efi -a %{SOURCE4} -c %{SOURCE3} -n redhatsecureboot301 %install rm -rf $RPM_BUILD_ROOT cd shim-signed-%{version} install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/ install -m 0644 shim.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi install -m 0644 shim-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim-%{efidir}.efi install -m 0644 MokManager.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi install -m 0644 %{SOURCE0} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/ install -m 0644 shim.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI install -m 0644 fallback.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fallback.efi %files -n shim /boot/efi/EFI/%{efidir}/shim.efi /boot/efi/EFI/%{efidir}/shim-%{efidir}.efi /boot/efi/EFI/%{efidir}/MokManager.efi /boot/efi/EFI/%{efidir}/BOOT.CSV /boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI /boot/efi/EFI/BOOT/fallback.efi %changelog * Wed Feb 25 2015 Peter Jones - 0.7-12 - Fix some minor build bugs on Aarch64 Related: rhbz#1190191 * Tue Feb 24 2015 Peter Jones - 0.7-11 - Fix section loading on Aarch64 Related: rhbz#1190191 * Wed Dec 17 2014 Peter Jones - 0.7-10 - Rebuild for Aarch64 to get \EFI\BOOT\BOOTAA64.EFI named right. (I managed to fix the inputs but not the outputs in -9.) Related: rhbz#1100048 * Wed Dec 17 2014 Peter Jones - 0.7-9 - Rebuild for Aarch64 to get \EFI\BOOT\BOOTAA64.EFI named right. Related: rhbz#1100048 * Tue Oct 21 2014 Peter Jones - 0.7-8 - Build for aarch64 as well Related: rhbz#1100048 - out-of-bounds memory read flaw in DHCPv6 packet processing Resolves: CVE-2014-3675 - heap-based buffer overflow flaw in IPv6 address parsing Resolves: CVE-2014-3676 - memory corruption flaw when processing Machine Owner Keys (MOKs) Resolves: CVE-2014-3677 * Tue Sep 23 2014 Peter Jones - 0.7-7 - Make sure we use the right keys on Aarch64. (It's only a demo at this stage.) Related: rhbz#1100048 * Tue Sep 23 2014 Peter Jones - 0.7-6 - Add ARM Aarch64. Related: rhbz#1100048 * Thu Feb 27 2014 Peter Jones - 0.7-5.2 - Get the right signatures on shim-redhat.efi Related: rhbz#1064449 * Thu Feb 27 2014 Peter Jones - 0.7-5.1 - Update for signed shim for RHEL 7 Resolves: rhbz#1064449 * Thu Nov 21 2013 Peter Jones - 0.7-5 - Fix shim-unsigned deps. Related: rhbz#1032583 * Thu Nov 21 2013 Peter Jones - 0.7-4 - Make dhcp4 work better. Related: rhbz#1032583 * Thu Nov 14 2013 Peter Jones - 0.7-3 - Make lockdown include UEFI and other KEK/DB entries. Related: rhbz#1030492 * Fri Nov 08 2013 Peter Jones - 0.7-2 - Handle SetupMode better in lockdown as well Related: rhbz#996863 * Wed Nov 06 2013 Peter Jones - 0.7-1 - Don't treat SetupMode variable's presence as meaning we're in SetupMode. Related: rhbz#996863 * Wed Nov 06 2013 Peter Jones - 0.6-3 - Use the correct CA and signer certificates. Related: rhbz#996863 * Thu Oct 31 2013 Peter Jones - 0.6-1 - Update to 0.6-1 Resolves: rhbz#1008379 * Wed Aug 07 2013 Peter Jones - 0.4-3.2 - Depend on newer pesign. Related: rhbz#989442 * Tue Aug 06 2013 Peter Jones - 0.4-3.1 - Rebuild with newer pesign Related: rhbz#989442 * Tue Aug 06 2013 Peter Jones - 0.4-3 - Update for RHEL signing with early test keys. Related: rhbz#989442 * Thu Jun 20 2013 Peter Jones - 0.4-1 - Provide a fallback for uninitialized Boot#### and BootOrder Resolves: rhbz#963359 - Move all signing from shim-unsigned to here - properly compare our generated hash from shim-unsigned with the hash of the signed binary (as opposed to doing it manually) * Fri May 31 2013 Peter Jones - 0.2-4.4 - Re-sign to get alignments that match the new specification. Resolves: rhbz#963361 * Thu Feb 14 2013 Fedora Release Engineering - 0.2-4.3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild * Wed Jan 02 2013 Peter Jones - 0.2-3.3 - Add obsoletes and provides for earlier shim-signed packages, to cover the package update cases where previous versions were installed. Related: rhbz#888026 * Mon Dec 17 2012 Peter Jones - 0.2-3.2 - Make the shim-unsigned dep be on the subpackage. * Sun Dec 16 2012 Peter Jones - 0.2-3.1 - Rebuild to provide "shim" package directly instead of just as a Provides: * Sat Dec 15 2012 Peter Jones - 0.2-3 - Also provide shim-fedora.efi, signed only by the fedora signer. - Fix the fedora signature on the result to actually be correct. - Update for shim-unsigned 0.2-3 * Mon Dec 03 2012 Peter Jones - 0.2-2 - Initial build