Name: shim
Version: 0.7
Release: 8%{?dist}
Summary: First-stage UEFI bootloader
License: BSD
URL: http://www.codon.org.uk/~mjg59/shim/
Source0: https://github.com/mjg59/shim/releases/download/%{version}/shim-%{version}.tar.bz2
Source1: securebootca.cer
# incorporate mokutil for packaging simplicity
%global mokutilver 0.2.0
Source2: https://github.com/lcp/mokutil/archive/mokutil-%{mokutilver}.tar.gz
# currently here's what's in our dbx:
# nothing.
#Source3: dbx.esl
Source4: rhtest.cer
Patch0001: 0001-fix-verify_mok.patch
Patch0002: 0002-shim.c-Add-support-for-hashing-relocation-of-32-bit-.patch
Patch0003: 0003-netboot.h-fix-build-error-on-32-bit-systems.patch
Patch0004: 0004-properly-compile-OpenSSL-in-32-bit-mode.patch
Patch0005: 0005-fallback.c-fix-32-bit-compilation.patch
Patch0006: 0006-fix-fallback.so-build-dependency.patch
Patch0007: 0007-propagate-some-path-variables.patch
Patch0008: 0008-allow-32-bit-compilation-with-64-bit-compiler.patch
Patch0009: 0009-shim-improve-error-messages.patch
Patch0010: 0010-Clarify-meaning-of-insecure_mode.patch
Patch0011: 0011-Don-t-hook-system-services-if-shim-has-no-built-in-k.patch
Patch0012: 0012-Fix-path-generation-for-Dhcpv4-bootloader.patch
Patch0013: 0013-Lengths-that-might-be-1-can-t-be-unsigned-Peter.patch
Patch0014: 0014-Fix-wrong-sizeof.patch
Patch0015: 0015-Initialize-entries-before-we-pass-it-to-another-func.patch
Patch0016: 0016-Rewrite-directory-traversal-allocation-path-so-cover.patch
Patch0017: 0017-Error-check-the-right-thing-in-get_variable_attr-whe.patch
Patch0018: 0018-fallback-For-HD-device-paths-use-just-the-media-node.patch
Patch0019: 0019-fallback-Attempt-to-re-use-existing-entries-when-pos.patch
Patch0020: 0020-Add-a-preliminary-test-plan.patch
Patch0021: 0021-Add-a-failure-case-to-the-test-plan-and-fix-an-order.patch
Patch0022: 0022-Allow-fallback-to-use-the-system-s-LoadImage-StartIm.patch
Patch0023: 0023-additional-bounds-checking-on-section-sizes.patch
Patch0024: 0024-Kees-patch-missed-the-offset-adjustment-to-PEHdr.patch
Patch0025: 0025-Get-rid-of-SectionCache-in-generate_hash-it-is-unuse.patch
Patch0026: 0026-fallback-Avoid-duplicate-old-BootOrder.patch
Patch0027: 0027-fallback-Fix-the-data-size-for-boot-option-compariso.patch
Patch0028: 0028-fallback-Try-to-boot-the-first-boot-option-anyway.patch
Patch0029: 0029-Fetch-the-netboot-image-from-the-same-device.patch
Patch0030: 0030-Check-the-first-4-bytes-of-the-certificate.patch
Patch0031: 0031-Remove-grubpath-in-generate_path.patch
Patch0032: 0032-MokManager-delete-the-BS-NV-variables-the-right-way.patch
Patch0033: 0033-MokManager-handle-the-error-status-from-ReadKeyStrok.patch
Patch0034: 0034-Exclude-ca.crt-while-signing-EFI-images.patch
Patch0035: 0035-No-newline-for-console_notify.patch
Patch0036: 0036-Remove-the-duplicate-calls-in-lib-console.c.patch
Patch0037: 0037-Silence-the-functions-of-shim-protocol.patch
Patch0038: 0038-Free-the-string-from-DevicePathToStr.patch
Patch0039: 0039-Explain-the-logic-in-secure_mode-better.patch
Patch0040: 0040-Check-the-secure-variables-with-the-lib-functions.patch
Patch0041: 0041-Make-sure-we-default-to-assuming-we-re-locked-down.patch
Patch0042: 0042-Simplify-the-checking-of-SB-and-DB-states.patch
Patch0043: 0043-Update-openssl-to-0.9.8za.patch
Patch0044: 0044-Replace-build-instructions-in-README-with-something-.patch
Patch0045: 0045-CryptLib-undefine-va_arg-and-friends-before-redefini.patch
Patch0046: 0046-unhook_system_services-bail-on-systab-NULL.patch
Patch0047: 0047-Factor-out-x86-isms-and-add-cross-compile-support.patch
Patch0048: 0048-Add-support-for-64-bit-ARM-AArch64.patch
Patch0049: 0049-Add-support-for-32-bit-ARM.patch
Patch0050: 0050-Update-openssl-to-0.9.8zb.patch
Patch0051: 0051-Fix-typo-from-Ard-s-old-tree-32-bit-ARM-patch.patch
Patch0052: 0052-Handle-empty-.reloc-section-in-PE-COFF-loader.patch
Patch0053: 0053-Don-t-name-something-exit.patch
Patch0054: 0054-Make-sure-we-don-t-try-to-load-a-binary-from-a-diffe.patch
Patch0055: 0055-Actually-refer-to-the-base-relocation-table-of-our-l.patch
Patch0056: 0056-Make-64-on-32-maybe-work-on-x86_64.patch
Patch0057: 0057-Validate-computed-hash-bases-hash-sizes-more-thoroug.patch
Patch0058: 0058-Don-t-call-AuthenticodeVerify-if-vendor_cert_size-is.patch
Patch0059: 0059-Fix-our-in_protocol-printing.patch
Patch0060: 0060-Generate-a-sane-PE-header-on-shim-fallback-and-MokMa.patch
Patch0061: 0061-Do-the-same-for-ia32.patch
Patch0062: 0062-Make-list_keys-index-variables-all-be-signed.patch
Patch0063: 0063-Revert-header-changes.patch
Patch0064: 0064-Actually-find-the-relocations-correctly-and-process-.patch
Patch0065: 0065-Don-t-append-an-empty-cert-list-to-MokListRT-if-vend.patch
Patch0066: 0066-Fix-some-minor-testplan-errors.patch
Patch0067: 0067-Don-t-verify-images-with-the-empty-build-key.patch
Patch0068: 0068-Cryptlib-remove-the-unused-files.patch
Patch0069: 0069-Another-testplan-error.patch
Patch0070: 0070-shim-buffer-overflow-on-ipv6-option-parsing.patch
Patch0071: 0071-OOB-access-when-parsing-MOK-List-Certificates-on-MOK.patch
Patch0072: 0072-Make-another-integer-compare-be-signed-unsigned-safe.patch
Patch0073: 0073-Use-Werror-sign-compare.patch
Patch0074: 0074-Correctly-reject-bad-tftp-addresses-earlier-rather-t.patch
BuildRequires: git openssl-devel openssl
BuildRequires: pesign >= 0.106-1
BuildRequires: gnu-efi = 3.0u, gnu-efi-devel = 3.0u
# for xxd
BuildRequires: vim-common
# for mokutil's configure
BuildRequires: autoconf automake
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
# compatible with SysV (there's no red zone under UEFI) and there isn't a
# POSIX-style C library.
# BuildRequires: OpenSSL
Provides: bundled(openssl) = 0.9.8w
# Shim is only required on platforms implementing the UEFI secure boot
# protocol. The only one of those we currently wish to support is 64-bit x86.
# Adding further platforms will require adding appropriate relocation code.
ExclusiveArch: x86_64
%ifarch x86_64
%global efiarch x64
%endif
%ifarch aarch64
%global efiarch aa64
%endif
# Figure out the right file path to use
%if 0%{?rhel}
%global efidir redhat
%endif
%if 0%{?fedora}
%global efidir fedora
%endif
%description
Initial UEFI bootloader that handles chaining to a trusted full bootloader
under secure boot environments.
%package -n shim-unsigned
Summary: First-stage UEFI bootloader (unsigned data)
%description -n shim-unsigned
Initial UEFI bootloader that handles chaining to a trusted full bootloader
under secure boot environments.
%package -n mokutil
Summary: Utilities for managing Secure Boot/MoK keys.
%description -n mokutil
Utilities for managing the "Machine's Own Keys" list.
%prep
%setup -q
%setup -q -a 2 -D -T
git init
git config user.email "example@example.com"
git config user.name "rpmbuild -bp"
git add .
git commit -a -q -m "%{version} baseline."
git am --ignore-whitespace %{patches} </dev/null
git config --unset user.email
git config --unset user.name
%build
MAKEFLAGS=""
%ifarch aarch64
if [ -f "%{SOURCE4}" ]; then
MAKEFLAGS="VENDOR_CERT_FILE=%{SOURCE4}"
fi
%else
if [ -f "%{SOURCE1}" ]; then
MAKEFLAGS="VENDOR_CERT_FILE=%{SOURCE1}"
fi
%endif
# MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE3}"
make 'DEFAULT_LOADER=\\\\grub%{efiarch}.efi' ${MAKEFLAGS} shim.efi MokManager.efi fallback.efi
cd mokutil-%{mokutilver}
./autogen.sh
%configure
make %{?_smp_mflags}
%install
rm -rf $RPM_BUILD_ROOT
pesign -h -P -i shim.efi -h > shim.hash
install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/
install -m 0644 shim.efi $RPM_BUILD_ROOT%{_datadir}/shim/shim.efi
install -m 0644 shim.hash $RPM_BUILD_ROOT%{_datadir}/shim/shim.hash
install -m 0644 fallback.efi $RPM_BUILD_ROOT%{_datadir}/shim/fallback.efi
install -m 0644 MokManager.efi $RPM_BUILD_ROOT%{_datadir}/shim/MokManager.efi
cd mokutil-%{mokutilver}
make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
%files -n shim-unsigned
%doc
%dir %{_datadir}/shim
%{_datadir}/shim/*
%files -n mokutil
/usr/bin/mokutil
/usr/share/man/man1/mokutil.1.gz
%changelog
* Tue Sep 30 2014 Peter Jones <pjones@redhat.com> - 0.7-8
- out-of-bounds memory read flaw in DHCPv6 packet processing
Resolves: CVE-2014-3675
- heap-based buffer overflow flaw in IPv6 address parsing
Resolves: CVE-2014-3676
- memory corruption flaw when processing Machine Owner Keys (MOKs)
Resolves: CVE-2014-3677
* Tue Sep 23 2014 Peter Jones <pjones@redhat.com> - 0.7-7
- Use the right key for ARM Aarch64.
* Sun Sep 21 2014 Peter Jones <pjones@redhat.com> - 0.7-6
- Preliminary build for ARM Aarch64.
* Tue Feb 18 2014 Peter Jones <pjones@redhat.com> - 0.7-5
- Update for production signing
Resolves: rhbz#1064424
Related: rhbz#1064449
* Thu Nov 21 2013 Peter Jones <pjones@redhat.com> - 0.7-4
- Make dhcpv4 paths work better when netbooting.
Resolves: rhbz#1032583
* Thu Nov 14 2013 Peter Jones <pjones@redhat.com> - 0.7-3
- Make lockdown include UEFI and other KEK/DB entries.
Resolves: rhbz#1030492
* Fri Nov 08 2013 Peter Jones <pjones@redhat.com> - 0.7-2
- Update lockdown to reflect SetupMode better as well
Related: rhbz#996863
* Wed Nov 06 2013 Peter Jones <pjones@redhat.com> - 0.7-1
- Fix logic to handle SetupMode efi variable.
Related: rhbz#996863
* Thu Oct 31 2013 Peter Jones <pjones@redhat.com> - 0.6-1
- Fix a FreePool(NULL) call on machines too old for SB
* Fri Oct 04 2013 Peter Jones <pjones@redhat.com> - 0.5-1
- Update to 0.5
* Tue Aug 06 2013 Peter Jones <pjones@redhat.com> - 0.4-3
- Build with early RHEL test keys.
Related: rhbz#989442
* Thu Jul 25 2013 Peter Jones <pjones@redhat.com> - 0.4-2
- Fix minor RHEL 7.0 build issues
Resolves: rhbz#978766
- Be less verbose by default
* Tue Jun 11 2013 Peter Jones <pjones@redhat.com> - 0.4-1
- Update to 0.4
* Fri Jun 07 2013 Peter Jones <pjones@redhat.com> - 0.3-2
- Require gnu-efi-3.0q for now.
- Don't allow mmx or sse during compilation.
- Re-organize this so all real signing happens in shim-signed instead.
- Split out mokutil
* Wed Dec 12 2012 Peter Jones <pjones@redhat.com> - 0.2-3
- Fix mokutil's idea of signature sizes.
* Wed Nov 28 2012 Matthew Garrett <mjg59@srcf.ucam.org> - 0.2-2
- Fix secure_mode() always returning true
* Mon Nov 26 2012 Matthew Garrett <mjg59@srcf.ucam.org> - 0.2-1
- Update shim
- Include mokutil
- Add debuginfo package since mokutil is a userspace executable
* Mon Oct 22 2012 Peter Jones <pjones@redhat.com> - 0.1-4
- Produce an unsigned shim
* Tue Aug 14 2012 Peter Jones <pjones@redhat.com> - 0.1-3
- Update how embedded cert and signing work.
* Mon Aug 13 2012 Josh Boyer <jwboyer@redhat.com> - 0.1-2
- Add patch to fix image size calculation
* Mon Aug 13 2012 Matthew Garrett <mjg@redhat.com> - 0.1-1
- initial release