diff --git a/.gitignore b/.gitignore index a250cf7..6af0766 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/shim-12.tar.bz2 +SOURCES/shim-15.tar.bz2 diff --git a/.shim.metadata b/.shim.metadata index d93caad..5677fcd 100644 --- a/.shim.metadata +++ b/.shim.metadata @@ -1 +1 @@ -5c5a5738bd0412cb1f42ac2b9dace11c3495ed5b SOURCES/shim-12.tar.bz2 +2dc6308584187bf3ee88bf9b119938c72c5a5088 SOURCES/shim-15.tar.bz2 diff --git a/SOURCES/0001-Add-vendor-esl.patch b/SOURCES/0001-Add-vendor-esl.patch deleted file mode 100644 index 1058298..0000000 --- a/SOURCES/0001-Add-vendor-esl.patch +++ /dev/null @@ -1,168 +0,0 @@ -From bc1e30ee1e7940e0e70eab9afd55b6e355ef9899 Mon Sep 17 00:00:00 2001 -From: Patrick Uiterwijk -Date: Sat, 21 Jul 2018 03:27:26 +0200 -Subject: [PATCH] Add vendor_esl - -Signed-off-by: Patrick Uiterwijk ---- - Makefile | 3 +++ - cert.S | 30 ++++++++++++++++++++++++++++++ - shim.c | 36 +++++++++++++++++++++++++++++++++++- - 3 files changed, 68 insertions(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index 6ece282..78688e0 100644 ---- a/Makefile -+++ b/Makefile -@@ -82,6 +82,9 @@ endif - ifneq ($(origin VENDOR_CERT_FILE), undefined) - CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\" - endif -+ifneq ($(origin VENDOR_ESL_FILE), undefined) -+ CFLAGS += -DVENDOR_ESL_FILE=\"$(VENDOR_ESL_FILE)\" -+endif - ifneq ($(origin VENDOR_DBX_FILE), undefined) - CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\" - endif -diff --git a/cert.S b/cert.S -index cfc4525..7ad782a 100644 ---- a/cert.S -+++ b/cert.S -@@ -8,12 +8,18 @@ cert_table: - #else - .long 0 - #endif -+#if defined(VENDOR_ESL_FILE) -+ .long vendor_esl_priv_end - vendor_esl_priv -+#else -+ .long 0 -+#endif - #if defined(VENDOR_DBX_FILE) - .long vendor_dbx_priv_end - vendor_dbx_priv - #else - .long 0 - #endif - .long vendor_cert_priv - cert_table -+ .long vendor_esl_priv - cert_table - .long vendor_dbx_priv - cert_table - #if defined(VENDOR_CERT_FILE) - .data -@@ -39,6 +45,30 @@ vendor_cert_priv: - .section .vendor_cert, "a", %progbits - vendor_cert_priv_end: - #endif -+#if defined(VENDOR_ESL_FILE) -+ .data -+ .align 1 -+ .type vendor_esl_priv, %object -+ .size vendor_esl_priv, vendor_esl_priv_end-vendor_esl_priv -+ .section .vendor_cert, "a", %progbits -+vendor_esl_priv: -+.incbin VENDOR_ESL_FILE -+vendor_esl_priv_end: -+#else -+ .bss -+ .type vendor_esl_priv, %object -+ .size vendor_esl_priv, 1 -+ .section .vendor_cert, "a", %progbits -+vendor_esl_priv: -+ .zero 1 -+ -+ .data -+ .align 4 -+ .type vendor_esl_size_priv, %object -+ .size vendor_esl_size_priv, 4 -+ .section .vendor_cert, "a", %progbits -+vendor_esl_priv_end: -+#endif - #if defined(VENDOR_DBX_FILE) - .data - .align 1 -diff --git a/shim.c b/shim.c -index f8a1e67..d99134f 100644 ---- a/shim.c -+++ b/shim.c -@@ -84,14 +84,18 @@ EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, - */ - extern struct { - UINT32 vendor_cert_size; -+ UINT32 vendor_esl_size; - UINT32 vendor_dbx_size; - UINT32 vendor_cert_offset; -+ UINT32 vendor_esl_offset; - UINT32 vendor_dbx_offset; - } cert_table; - - UINT32 vendor_cert_size; -+UINT32 vendor_esl_size; - UINT32 vendor_dbx_size; - UINT8 *vendor_cert; -+UINT8 *vendor_esl; - UINT8 *vendor_dbx; - - /* -@@ -1029,6 +1033,18 @@ static EFI_STATUS verify_buffer (char *data, int datasize, - return status; - } - -+ /* -+ * Check if there's a vendor ESL built-in -+ */ -+ if (vendor_esl_size && -+ check_db_cert_in_ram((EFI_SIGNATURE_LIST*)vendor_esl, -+ vendor_esl_size, -+ cert, -+ sha256hash) == DATA_FOUND) { -+ status = EFI_SUCCESS; -+ return status; -+ } -+ - /* - * And finally, check against shim's built-in key - */ -@@ -1973,6 +1989,22 @@ EFI_STATUS mirror_mok_list() - - CertData->SignatureOwner = SHIM_LOCK_GUID; - CopyMem(p, vendor_cert, vendor_cert_size); -+ } else if (vendor_esl_size) { -+ FullDataSize = DataSize -+ + vendor_esl_size -+ ; -+ FullData = AllocatePool(FullDataSize); -+ if (!FullData) { -+ perror(L"Failed to allocate space for MokListRT\n"); -+ return EFI_OUT_OF_RESOURCES; -+ } -+ p = FullData; -+ -+ if (efi_status == EFI_SUCCESS && DataSize > 0) { -+ CopyMem(p, Data, DataSize); -+ p += DataSize; -+ } -+ CopyMem(p, vendor_esl, vendor_esl_size); - } else { - FullDataSize = DataSize; - FullData = Data; -@@ -2606,7 +2638,7 @@ shim_init(void) - set_second_stage (global_image_handle); - - if (secure_mode()) { -- if (vendor_cert_size || vendor_dbx_size) { -+ if (vendor_cert_size || vendor_esl_size || vendor_dbx_size) { - /* - * If shim includes its own certificates then ensure - * that anything it boots has performed some -@@ -2706,8 +2738,10 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) - verification_method = VERIFIED_BY_NOTHING; - - vendor_cert_size = cert_table.vendor_cert_size; -+ vendor_esl_size = cert_table.vendor_esl_size; - vendor_dbx_size = cert_table.vendor_dbx_size; - vendor_cert = (UINT8 *)&cert_table + cert_table.vendor_cert_offset; -+ vendor_esl = (UINT8 *)&cert_table + cert_table.vendor_esl_offset; - vendor_dbx = (UINT8 *)&cert_table + cert_table.vendor_dbx_offset; - - /* --- -2.18.0 - diff --git a/SOURCES/centos.esl b/SOURCES/centos.esl deleted file mode 100644 index c0815a7..0000000 Binary files a/SOURCES/centos.esl and /dev/null differ diff --git a/SPECS/shim.spec b/SPECS/shim.spec index a7778ba..97117dd 100644 --- a/SPECS/shim.spec +++ b/SPECS/shim.spec @@ -1,19 +1,16 @@ Name: shim -Version: 12 -Release: 2%{?dist} +Version: 15 +Release: 1%{?dist} Summary: First-stage UEFI bootloader License: BSD URL: http://www.codon.org.uk/~mjg59/shim/ -Source0: https://github.com/mjg59/shim/releases/download/%{version}/shim-%{version}.tar.bz2 -#Source1: centos.crt +Source0: https://github.com/mjg59/shim/releases/download/%{version}/shim-%{version}.tar.bz2 +Source1: securebootca.cer # currently here's what's in our dbx: # nothing. -#Source2: dbx-x64.esl -#Source3: dbx-aa64.esl -Source4: shim-find-debuginfo.sh -Source5: centos.esl - -Patch0: 0001-Add-vendor-esl.patch +#Source2: dbx-x64.esl +#Source3: dbx-aa64.esl +Source4: shim-find-debuginfo.sh BuildRequires: git openssl-devel openssl BuildRequires: pesign >= 0.106-1 @@ -125,23 +122,17 @@ COMMITID=$(cat %{name}-%{version}-%{efiarch}/commit) MAKEFLAGS="RELEASE=%{release} ENABLE_HTTPBOOT=true COMMITID=${COMMITID}" %ifarch aarch64 if [ -f "%{SOURCE1}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" + MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" fi if [ -f "%{SOURCE3}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE3}" -fi -if [ -f "%{SOURCE5}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_ESL_FILE=%{SOURCE5}" + MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE3}" fi %else if [ -f "%{SOURCE1}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" + MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" fi if [ -f "%{SOURCE2}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" -fi -if [ -f "%{SOURCE5}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_ESL_FILE=%{SOURCE5}" + MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" fi %endif cd %{name}-%{version}-%{efiarch} @@ -159,8 +150,8 @@ pesign -h -P -i shim%{efiarch}.efi -h > shim%{efiarch}.hash install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/ install -m 0644 shim%{efiarch}.hash $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/shim%{efiarch}.hash for x in shim%{efiarch} mm%{efiarch} fb%{efiarch} ; do - install -m 0644 $x.efi $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/ - install -m 0644 $x.so $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/ + install -m 0644 $x.efi $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/ + install -m 0644 $x.so $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/ done %ifarch x86_64 @@ -169,40 +160,40 @@ pesign -h -P -i shimia32.efi -h > shimia32.hash install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/ install -m 0644 shimia32.hash $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/shimia32.hash for x in shimia32 mmia32 fbia32 ; do - install -m 0644 $x.efi $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/ - install -m 0644 $x.so $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/ + install -m 0644 $x.efi $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/ + install -m 0644 $x.so $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/ done cd ../%{name}-%{version}-%{efiarch} %endif %ifarch x86_64 -%global __debug_install_post \ - bash %{SOURCE4} \\\ - %{?_missing_build_ids_terminate_build:--strict-build-id}\\\ - %{?_find_debuginfo_opts} \\\ - "%{_builddir}/%{?buildsubdir}/%{name}-%{version}-%{efiarch}" \ - rm -f $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.so \ - mv debugfiles.list ../debugfiles-%{efiarch}.list \ - cd .. \ - cd %{name}-%{version}-ia32 \ - bash %{SOURCE4} \\\ - %{?_missing_build_ids_terminate_build:--strict-build-id}\\\ - %{?_find_debuginfo_opts} \\\ - "%{_builddir}/%{?buildsubdir}/%{name}-%{version}-ia32" \ - rm -f $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/*.so \ - mv debugfiles.list ../debugfiles-ia32.list \ - cd .. \ - %{nil} +%global __debug_install_post \ + bash %{SOURCE4} \\\ + %{?_missing_build_ids_terminate_build:--strict-build-id}\\\ + %{?_find_debuginfo_opts} \\\ + "%{_builddir}/%{?buildsubdir}/%{name}-%{version}-%{efiarch}" \ + rm -f $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.so \ + mv debugfiles.list ../debugfiles-%{efiarch}.list \ + cd .. \ + cd %{name}-%{version}-ia32 \ + bash %{SOURCE4} \\\ + %{?_missing_build_ids_terminate_build:--strict-build-id}\\\ + %{?_find_debuginfo_opts} \\\ + "%{_builddir}/%{?buildsubdir}/%{name}-%{version}-ia32" \ + rm -f $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/*.so \ + mv debugfiles.list ../debugfiles-ia32.list \ + cd .. \ + %{nil} %else -%global __debug_install_post \ - bash %{SOURCE4} \\\ - %{?_missing_build_ids_terminate_build:--strict-build-id}\\\ - %{?_find_debuginfo_opts} \\\ - "%{_builddir}/%{?buildsubdir}/%{name}-%{version}-%{efiarch}" \ - rm -f $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.so \ - mv debugfiles.list ../debugfiles-%{efiarch}.list \ - cd .. \ - %{nil} +%global __debug_install_post \ + bash %{SOURCE4} \\\ + %{?_missing_build_ids_terminate_build:--strict-build-id}\\\ + %{?_find_debuginfo_opts} \\\ + "%{_builddir}/%{?buildsubdir}/%{name}-%{version}-%{efiarch}" \ + rm -f $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.so \ + mv debugfiles.list ../debugfiles-%{efiarch}.list \ + cd .. \ + %{nil} %endif %files -n shim-unsigned-%{efiarch} @@ -226,9 +217,9 @@ cd ../%{name}-%{version}-%{efiarch} %endif %changelog -* Mon Jul 23 2018 Fabian Arrotin - 12-2.el7.centos -- Added 0001-Add-vendor-esl.patch (Patrick Uiterwijk) -- Rebuilt with combined centos.esl (so new and previous crt) +* Mon Jun 18 2018 Peter Jones - 15-1 +- Update to shim 15 + Resolves: rhbz#1589961 * Thu Apr 27 2017 Peter Jones - 12-1 - Update to 12-1 to work around a signtool.exe bug