Name: shim Version: 0.7 Release: 8%{?dist} Summary: First-stage UEFI bootloader License: BSD URL: http://www.codon.org.uk/~mjg59/shim/ Source0: https://github.com/mjg59/shim/releases/download/%{version}/shim-%{version}.tar.bz2 Source1: securebootca.cer # incorporate mokutil for packaging simplicity %global mokutilver 0.2.0 Source2: https://github.com/lcp/mokutil/archive/mokutil-%{mokutilver}.tar.gz # currently here's what's in our dbx: # nothing. #Source3: dbx.esl Source4: rhtest.cer Patch0001: 0001-fix-verify_mok.patch Patch0002: 0002-shim.c-Add-support-for-hashing-relocation-of-32-bit-.patch Patch0003: 0003-netboot.h-fix-build-error-on-32-bit-systems.patch Patch0004: 0004-properly-compile-OpenSSL-in-32-bit-mode.patch Patch0005: 0005-fallback.c-fix-32-bit-compilation.patch Patch0006: 0006-fix-fallback.so-build-dependency.patch Patch0007: 0007-propagate-some-path-variables.patch Patch0008: 0008-allow-32-bit-compilation-with-64-bit-compiler.patch Patch0009: 0009-shim-improve-error-messages.patch Patch0010: 0010-Clarify-meaning-of-insecure_mode.patch Patch0011: 0011-Don-t-hook-system-services-if-shim-has-no-built-in-k.patch Patch0012: 0012-Fix-path-generation-for-Dhcpv4-bootloader.patch Patch0013: 0013-Lengths-that-might-be-1-can-t-be-unsigned-Peter.patch Patch0014: 0014-Fix-wrong-sizeof.patch Patch0015: 0015-Initialize-entries-before-we-pass-it-to-another-func.patch Patch0016: 0016-Rewrite-directory-traversal-allocation-path-so-cover.patch Patch0017: 0017-Error-check-the-right-thing-in-get_variable_attr-whe.patch Patch0018: 0018-fallback-For-HD-device-paths-use-just-the-media-node.patch Patch0019: 0019-fallback-Attempt-to-re-use-existing-entries-when-pos.patch Patch0020: 0020-Add-a-preliminary-test-plan.patch Patch0021: 0021-Add-a-failure-case-to-the-test-plan-and-fix-an-order.patch Patch0022: 0022-Allow-fallback-to-use-the-system-s-LoadImage-StartIm.patch Patch0023: 0023-additional-bounds-checking-on-section-sizes.patch Patch0024: 0024-Kees-patch-missed-the-offset-adjustment-to-PEHdr.patch Patch0025: 0025-Get-rid-of-SectionCache-in-generate_hash-it-is-unuse.patch Patch0026: 0026-fallback-Avoid-duplicate-old-BootOrder.patch Patch0027: 0027-fallback-Fix-the-data-size-for-boot-option-compariso.patch Patch0028: 0028-fallback-Try-to-boot-the-first-boot-option-anyway.patch Patch0029: 0029-Fetch-the-netboot-image-from-the-same-device.patch Patch0030: 0030-Check-the-first-4-bytes-of-the-certificate.patch Patch0031: 0031-Remove-grubpath-in-generate_path.patch Patch0032: 0032-MokManager-delete-the-BS-NV-variables-the-right-way.patch Patch0033: 0033-MokManager-handle-the-error-status-from-ReadKeyStrok.patch Patch0034: 0034-Exclude-ca.crt-while-signing-EFI-images.patch Patch0035: 0035-No-newline-for-console_notify.patch Patch0036: 0036-Remove-the-duplicate-calls-in-lib-console.c.patch Patch0037: 0037-Silence-the-functions-of-shim-protocol.patch Patch0038: 0038-Free-the-string-from-DevicePathToStr.patch Patch0039: 0039-Explain-the-logic-in-secure_mode-better.patch Patch0040: 0040-Check-the-secure-variables-with-the-lib-functions.patch Patch0041: 0041-Make-sure-we-default-to-assuming-we-re-locked-down.patch Patch0042: 0042-Simplify-the-checking-of-SB-and-DB-states.patch Patch0043: 0043-Update-openssl-to-0.9.8za.patch Patch0044: 0044-Replace-build-instructions-in-README-with-something-.patch Patch0045: 0045-CryptLib-undefine-va_arg-and-friends-before-redefini.patch Patch0046: 0046-unhook_system_services-bail-on-systab-NULL.patch Patch0047: 0047-Factor-out-x86-isms-and-add-cross-compile-support.patch Patch0048: 0048-Add-support-for-64-bit-ARM-AArch64.patch Patch0049: 0049-Add-support-for-32-bit-ARM.patch Patch0050: 0050-Update-openssl-to-0.9.8zb.patch Patch0051: 0051-Fix-typo-from-Ard-s-old-tree-32-bit-ARM-patch.patch Patch0052: 0052-Handle-empty-.reloc-section-in-PE-COFF-loader.patch Patch0053: 0053-Don-t-name-something-exit.patch Patch0054: 0054-Make-sure-we-don-t-try-to-load-a-binary-from-a-diffe.patch Patch0055: 0055-Actually-refer-to-the-base-relocation-table-of-our-l.patch Patch0056: 0056-Make-64-on-32-maybe-work-on-x86_64.patch Patch0057: 0057-Validate-computed-hash-bases-hash-sizes-more-thoroug.patch Patch0058: 0058-Don-t-call-AuthenticodeVerify-if-vendor_cert_size-is.patch Patch0059: 0059-Fix-our-in_protocol-printing.patch Patch0060: 0060-Generate-a-sane-PE-header-on-shim-fallback-and-MokMa.patch Patch0061: 0061-Do-the-same-for-ia32.patch Patch0062: 0062-Make-list_keys-index-variables-all-be-signed.patch Patch0063: 0063-Revert-header-changes.patch Patch0064: 0064-Actually-find-the-relocations-correctly-and-process-.patch Patch0065: 0065-Don-t-append-an-empty-cert-list-to-MokListRT-if-vend.patch Patch0066: 0066-Fix-some-minor-testplan-errors.patch Patch0067: 0067-Don-t-verify-images-with-the-empty-build-key.patch Patch0068: 0068-Cryptlib-remove-the-unused-files.patch Patch0069: 0069-Another-testplan-error.patch Patch0070: 0070-shim-buffer-overflow-on-ipv6-option-parsing.patch Patch0071: 0071-OOB-access-when-parsing-MOK-List-Certificates-on-MOK.patch Patch0072: 0072-Make-another-integer-compare-be-signed-unsigned-safe.patch Patch0073: 0073-Use-Werror-sign-compare.patch Patch0074: 0074-Correctly-reject-bad-tftp-addresses-earlier-rather-t.patch BuildRequires: git openssl-devel openssl BuildRequires: pesign >= 0.106-1 BuildRequires: gnu-efi = 3.0u, gnu-efi-devel = 3.0u # for xxd BuildRequires: vim-common # for mokutil's configure BuildRequires: autoconf automake # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not # compatible with SysV (there's no red zone under UEFI) and there isn't a # POSIX-style C library. # BuildRequires: OpenSSL Provides: bundled(openssl) = 0.9.8w # Shim is only required on platforms implementing the UEFI secure boot # protocol. The only one of those we currently wish to support is 64-bit x86. # Adding further platforms will require adding appropriate relocation code. ExclusiveArch: x86_64 %ifarch x86_64 %global efiarch x64 %endif %ifarch aarch64 %global efiarch aa64 %endif # Figure out the right file path to use %if 0%{?rhel} %global efidir redhat %endif %if 0%{?fedora} %global efidir fedora %endif %description Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments. %package -n shim-unsigned Summary: First-stage UEFI bootloader (unsigned data) %description -n shim-unsigned Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments. %package -n mokutil Summary: Utilities for managing Secure Boot/MoK keys. %description -n mokutil Utilities for managing the "Machine's Own Keys" list. %prep %setup -q %setup -q -a 2 -D -T git init git config user.email "example@example.com" git config user.name "rpmbuild -bp" git add . git commit -a -q -m "%{version} baseline." git am --ignore-whitespace %{patches} shim.hash install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/ install -m 0644 shim.efi $RPM_BUILD_ROOT%{_datadir}/shim/shim.efi install -m 0644 shim.hash $RPM_BUILD_ROOT%{_datadir}/shim/shim.hash install -m 0644 fallback.efi $RPM_BUILD_ROOT%{_datadir}/shim/fallback.efi install -m 0644 MokManager.efi $RPM_BUILD_ROOT%{_datadir}/shim/MokManager.efi cd mokutil-%{mokutilver} make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install %files -n shim-unsigned %doc %dir %{_datadir}/shim %{_datadir}/shim/* %files -n mokutil /usr/bin/mokutil /usr/share/man/man1/mokutil.1.gz %changelog * Tue Sep 30 2014 Peter Jones - 0.7-8 - out-of-bounds memory read flaw in DHCPv6 packet processing Resolves: CVE-2014-3675 - heap-based buffer overflow flaw in IPv6 address parsing Resolves: CVE-2014-3676 - memory corruption flaw when processing Machine Owner Keys (MOKs) Resolves: CVE-2014-3677 * Tue Sep 23 2014 Peter Jones - 0.7-7 - Use the right key for ARM Aarch64. * Sun Sep 21 2014 Peter Jones - 0.7-6 - Preliminary build for ARM Aarch64. * Tue Feb 18 2014 Peter Jones - 0.7-5 - Update for production signing Resolves: rhbz#1064424 Related: rhbz#1064449 * Thu Nov 21 2013 Peter Jones - 0.7-4 - Make dhcpv4 paths work better when netbooting. Resolves: rhbz#1032583 * Thu Nov 14 2013 Peter Jones - 0.7-3 - Make lockdown include UEFI and other KEK/DB entries. Resolves: rhbz#1030492 * Fri Nov 08 2013 Peter Jones - 0.7-2 - Update lockdown to reflect SetupMode better as well Related: rhbz#996863 * Wed Nov 06 2013 Peter Jones - 0.7-1 - Fix logic to handle SetupMode efi variable. Related: rhbz#996863 * Thu Oct 31 2013 Peter Jones - 0.6-1 - Fix a FreePool(NULL) call on machines too old for SB * Fri Oct 04 2013 Peter Jones - 0.5-1 - Update to 0.5 * Tue Aug 06 2013 Peter Jones - 0.4-3 - Build with early RHEL test keys. Related: rhbz#989442 * Thu Jul 25 2013 Peter Jones - 0.4-2 - Fix minor RHEL 7.0 build issues Resolves: rhbz#978766 - Be less verbose by default * Tue Jun 11 2013 Peter Jones - 0.4-1 - Update to 0.4 * Fri Jun 07 2013 Peter Jones - 0.3-2 - Require gnu-efi-3.0q for now. - Don't allow mmx or sse during compilation. - Re-organize this so all real signing happens in shim-signed instead. - Split out mokutil * Wed Dec 12 2012 Peter Jones - 0.2-3 - Fix mokutil's idea of signature sizes. * Wed Nov 28 2012 Matthew Garrett - 0.2-2 - Fix secure_mode() always returning true * Mon Nov 26 2012 Matthew Garrett - 0.2-1 - Update shim - Include mokutil - Add debuginfo package since mokutil is a userspace executable * Mon Oct 22 2012 Peter Jones - 0.1-4 - Produce an unsigned shim * Tue Aug 14 2012 Peter Jones - 0.1-3 - Update how embedded cert and signing work. * Mon Aug 13 2012 Josh Boyer - 0.1-2 - Add patch to fix image size calculation * Mon Aug 13 2012 Matthew Garrett - 0.1-1 - initial release