Name: shim Version: 0.7 Release: 5%{?dist} Summary: First-stage UEFI bootloader License: BSD URL: http://www.codon.org.uk/~mjg59/shim/ Source0: https://github.com/mjg59/shim/archive/%{version}.tar.gz Source1: securebootca.cer # incorporate mokutil for packaging simplicity %global mokutilver 0.2.0 Source2: https://github.com/lcp/mokutil/archive/mokutil-%{mokutilver}.tar.gz # currently here's what's in our dbx: # nothing. #Source3: dbx.esl Patch0001: 0001-fix-verify_mok.patch Patch0002: 0002-shim.c-Add-support-for-hashing-relocation-of-32-bit-.patch Patch0003: 0003-netboot.h-fix-build-error-on-32-bit-systems.patch Patch0004: 0004-properly-compile-OpenSSL-in-32-bit-mode.patch Patch0005: 0005-fallback.c-fix-32-bit-compilation.patch Patch0006: 0006-fix-fallback.so-build-dependency.patch Patch0007: 0007-propagate-some-path-variables.patch Patch0008: 0008-allow-32-bit-compilation-with-64-bit-compiler.patch Patch0009: 0009-shim-improve-error-messages.patch Patch0010: 0010-Clarify-meaning-of-insecure_mode.patch Patch0011: 0011-Don-t-hook-system-services-if-shim-has-no-built-in-k.patch Patch0012: 0012-Fix-path-generation-for-Dhcpv4-bootloader.patch Patch0013: 0013-Lengths-that-might-be-1-can-t-be-unsigned-Peter.patch Patch0014: 0014-Fix-wrong-sizeof.patch Patch0015: 0015-Initialize-entries-before-we-pass-it-to-another-func.patch Patch0016: 0016-Rewrite-directory-traversal-allocation-path-so-cover.patch Patch0017: 0017-Error-check-the-right-thing-in-get_variable_attr-whe.patch Patch0018: 0018-fallback-For-HD-device-paths-use-just-the-media-node.patch Patch0019: 0019-fallback-Attempt-to-re-use-existing-entries-when-pos.patch Patch0020: 0001-Add-a-preliminary-test-plan.patch Patch0021: 0002-Fix-a-part-of-the-test-plan-that-was-out-of-order.patch Patch0022: 0003-Allow-fallback-to-use-the-system-s-LoadImage-StartIm.patch Patch0023: 0001-Actually-reflect-the-upstream-commit-this-patchset-g.patch BuildRequires: git openssl-devel openssl BuildRequires: pesign >= 0.106-1 BuildRequires: gnu-efi = 3.0u, gnu-efi-devel = 3.0u # for xxd BuildRequires: vim-common # for mokutil's configure BuildRequires: autoconf automake # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not # compatible with SysV (there's no red zone under UEFI) and there isn't a # POSIX-style C library. # BuildRequires: OpenSSL Provides: bundled(openssl) = 0.9.8w # Shim is only required on platforms implementing the UEFI secure boot # protocol. The only one of those we currently wish to support is 64-bit x86. # Adding further platforms will require adding appropriate relocation code. ExclusiveArch: x86_64 # Figure out the right file path to use %if 0%{?rhel} %global efidir redhat %endif %if 0%{?fedora} %global efidir fedora %endif %description Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments. %package -n shim-unsigned Summary: First-stage UEFI bootloader (unsigned data) %description -n shim-unsigned Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments. %package -n mokutil Summary: Utilities for managing Secure Boot/MoK keys. %description -n mokutil Utilities for managing the "Machine's Own Keys" list. %prep %setup -q %setup -q -a 2 -D -T git init git config user.email "shim-owner@fedoraproject.org" git config user.name "Fedora Ninjas" git add . git commit -a -q -m "%{version} baseline." git am %{patches} shim.hash install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/ install -m 0644 shim.efi $RPM_BUILD_ROOT%{_datadir}/shim/shim.efi install -m 0644 shim.hash $RPM_BUILD_ROOT%{_datadir}/shim/shim.hash install -m 0644 fallback.efi $RPM_BUILD_ROOT%{_datadir}/shim/fallback.efi install -m 0644 MokManager.efi $RPM_BUILD_ROOT%{_datadir}/shim/MokManager.efi cd mokutil-%{mokutilver} make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install %files -n shim-unsigned %doc %dir %{_datadir}/shim %{_datadir}/shim/* %files -n mokutil /usr/bin/mokutil /usr/share/man/man1/mokutil.1.gz %changelog * Tue Feb 18 2014 Peter Jones - 0.7-5 - Update for production signing Resolves: rhbz#1064424 Related: rhbz#1064449 * Thu Nov 21 2013 Peter Jones - 0.7-4 - Make dhcpv4 paths work better when netbooting. Resolves: rhbz#1032583 * Thu Nov 14 2013 Peter Jones - 0.7-3 - Make lockdown include UEFI and other KEK/DB entries. Resolves: rhbz#1030492 * Fri Nov 08 2013 Peter Jones - 0.7-2 - Update lockdown to reflect SetupMode better as well Related: rhbz#996863 * Wed Nov 06 2013 Peter Jones - 0.7-1 - Fix logic to handle SetupMode efi variable. Related: rhbz#996863 * Thu Oct 31 2013 Peter Jones - 0.6-1 - Fix a FreePool(NULL) call on machines too old for SB * Fri Oct 04 2013 Peter Jones - 0.5-1 - Update to 0.5 * Tue Aug 06 2013 Peter Jones - 0.4-3 - Build with early RHEL test keys. Related: rhbz#989442 * Thu Jul 25 2013 Peter Jones - 0.4-2 - Fix minor RHEL 7.0 build issues Resolves: rhbz#978766 - Be less verbose by default * Tue Jun 11 2013 Peter Jones - 0.4-1 - Update to 0.4 * Fri Jun 07 2013 Peter Jones - 0.3-2 - Require gnu-efi-3.0q for now. - Don't allow mmx or sse during compilation. - Re-organize this so all real signing happens in shim-signed instead. - Split out mokutil * Wed Dec 12 2012 Peter Jones - 0.2-3 - Fix mokutil's idea of signature sizes. * Wed Nov 28 2012 Matthew Garrett - 0.2-2 - Fix secure_mode() always returning true * Mon Nov 26 2012 Matthew Garrett - 0.2-1 - Update shim - Include mokutil - Add debuginfo package since mokutil is a userspace executable * Mon Oct 22 2012 Peter Jones - 0.1-4 - Produce an unsigned shim * Tue Aug 14 2012 Peter Jones - 0.1-3 - Update how embedded cert and signing work. * Mon Aug 13 2012 Josh Boyer - 0.1-2 - Add patch to fix image size calculation * Mon Aug 13 2012 Matthew Garrett - 0.1-1 - initial release