|
 |
2e2de3 |
%global pesign_vre 0.106-1
|
|
|
2e2de3 |
%global gnuefi_vre 1:3.0.5-6
|
|
|
2e2de3 |
%global openssl_vre 1.0.2j
|
|
|
2e2de3 |
|
|
|
2e2de3 |
%global debug_package %{nil}
|
|
|
2e2de3 |
%global __debug_package 1
|
|
|
2e2de3 |
%global _binaries_in_noarch_packages_terminate_build 0
|
|
|
2e2de3 |
%global __debug_install_post %{SOURCE100} x64 ia32
|
|
|
2e2de3 |
%undefine _debuginfo_subpackages
|
|
|
2e2de3 |
|
|
|
2e2de3 |
%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
|
|
|
2e2de3 |
%global shimrootdir %{_datadir}/shim/
|
|
|
2e2de3 |
%global shimversiondir %{shimrootdir}/%{version}-%{release}
|
|
|
2e2de3 |
%global efiarch x64
|
|
|
2e2de3 |
%global shimdir %{shimversiondir}/%{efiarch}
|
|
|
2e2de3 |
%global efialtarch ia32
|
|
|
2e2de3 |
%global shimaltdir %{shimversiondir}/%{efialtarch}
|
|
|
2e2de3 |
|
|
|
2e2de3 |
Name: shim-unsigned-%{efiarch}
|
|
|
2e2de3 |
Version: 15
|
|
|
2e2de3 |
Release: 1%{?dist}
|
|
|
2e2de3 |
Summary: First-stage UEFI bootloader
|
|
|
2e2de3 |
ExclusiveArch: x86_64
|
|
|
2e2de3 |
License: BSD
|
|
|
2e2de3 |
URL: https://github.com/rhboot/shim
|
|
|
2e2de3 |
Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
|
|
|
2e2de3 |
Source1: securebootca.cer
|
|
|
2e2de3 |
# currently here's what's in our dbx:
|
|
|
2e2de3 |
# nothing.
|
|
|
2e2de3 |
Source2: dbx.esl
|
|
|
2e2de3 |
|
|
|
2e2de3 |
Source100: shim-find-debuginfo.sh
|
|
|
2e2de3 |
|
|
|
2e2de3 |
BuildRequires: elfutils-libelf-devel
|
|
|
2e2de3 |
BuildRequires: git openssl-devel openssl
|
|
|
2e2de3 |
BuildRequires: pesign >= %{pesign_vre}
|
|
|
2e2de3 |
BuildRequires: gnu-efi >= %{gnuefi_vre}
|
|
|
2e2de3 |
BuildRequires: gnu-efi-devel >= %{gnuefi_vre}
|
|
|
2e2de3 |
|
|
|
2e2de3 |
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
|
|
|
2e2de3 |
# compatible with SysV (there's no red zone under UEFI) and there isn't a
|
|
|
2e2de3 |
# POSIX-style C library.
|
|
|
2e2de3 |
# BuildRequires: OpenSSL
|
|
|
2e2de3 |
Provides: bundled(openssl) = %{openssl_vre}
|
|
|
2e2de3 |
|
|
|
2e2de3 |
%global desc \
|
|
|
2e2de3 |
Initial UEFI bootloader that handles chaining to a trusted full \
|
|
|
2e2de3 |
bootloader under secure boot environments.
|
|
|
2e2de3 |
%global debug_desc \
|
|
|
2e2de3 |
This package provides debug information for package %{expand:%%{name}} \
|
|
|
2e2de3 |
Debug information is useful when developing applications that \
|
|
|
2e2de3 |
use this package or when debugging this package.
|
|
|
2e2de3 |
|
|
|
2e2de3 |
%description
|
|
|
2e2de3 |
%desc
|
|
|
2e2de3 |
|
|
|
2e2de3 |
%package -n shim-unsigned-%{efialtarch}
|
|
|
2e2de3 |
Summary: First-stage UEFI bootloader (unsigned data)
|
|
|
2e2de3 |
Provides: bundled(openssl) = %{openssl_vre}
|
|
|
2e2de3 |
|
|
|
2e2de3 |
%description -n shim-unsigned-%{efialtarch}
|
|
|
2e2de3 |
%desc
|
|
|
2e2de3 |
|
|
|
2e2de3 |
%package debuginfo
|
|
|
2e2de3 |
Summary: Debug information for shim-unsigned-%{efiarch}
|
|
|
2e2de3 |
Requires: %{name}-debugsource = %{version}-%{release}
|
|
|
2e2de3 |
Group: Development/Debug
|
|
|
2e2de3 |
AutoReqProv: 0
|
|
|
2e2de3 |
BuildArch: noarch
|
|
|
2e2de3 |
|
|
|
2e2de3 |
%description debuginfo
|
|
|
2e2de3 |
%debug_desc
|
|
|
2e2de3 |
|
|
|
2e2de3 |
%package -n shim-unsigned-%{efialtarch}-debuginfo
|
|
|
2e2de3 |
Summary: Debug information for shim-unsigned-%{efialtarch}
|
|
|
2e2de3 |
Group: Development/Debug
|
|
|
2e2de3 |
Requires: %{name}-debugsource = %{version}-%{release}
|
|
|
2e2de3 |
AutoReqProv: 0
|
|
|
2e2de3 |
BuildArch: noarch
|
|
|
2e2de3 |
|
|
|
2e2de3 |
%description -n shim-unsigned-%{efialtarch}-debuginfo
|
|
|
2e2de3 |
%debug_desc
|
|
|
2e2de3 |
|
|
|
2e2de3 |
%package debugsource
|
|
|
2e2de3 |
Summary: Debug Source for shim-unsigned
|
|
|
2e2de3 |
Group: Development/Debug
|
|
|
2e2de3 |
AutoReqProv: 0
|
|
|
2e2de3 |
BuildArch: noarch
|
|
|
2e2de3 |
|
|
|
2e2de3 |
%description debugsource
|
|
|
2e2de3 |
%debug_desc
|
|
|
2e2de3 |
|
|
|
2e2de3 |
%prep
|
|
|
2e2de3 |
%autosetup -S git -n shim-%{version}
|
|
|
2e2de3 |
git config --unset user.email
|
|
|
2e2de3 |
git config --unset user.name
|
|
|
2e2de3 |
mkdir build-%{efiarch}
|
|
|
2e2de3 |
mkdir build-%{efialtarch}
|
|
|
2e2de3 |
|
|
|
2e2de3 |
%build
|
|
|
2e2de3 |
COMMITID=$(cat commit)
|
|
|
2e2de3 |
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
|
|
|
2e2de3 |
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
|
|
|
2e2de3 |
MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
|
|
|
2e2de3 |
MAKEFLAGS+="%{_smp_mflags}"
|
|
|
2e2de3 |
if [ -f "%{SOURCE1}" ]; then
|
|
|
2e2de3 |
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
|
|
|
2e2de3 |
fi
|
|
|
2e2de3 |
if [ -f "%{SOURCE2}" ]; then
|
|
|
2e2de3 |
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
|
|
|
2e2de3 |
fi
|
|
|
2e2de3 |
|
|
|
2e2de3 |
cd build-%{efiarch}
|
|
|
2e2de3 |
make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efiarch}.efi' all
|
|
|
2e2de3 |
cd ..
|
|
|
2e2de3 |
|
|
|
2e2de3 |
cd build-%{efialtarch}
|
|
|
2e2de3 |
setarch linux32 -B make ${MAKEFLAGS} ARCH=%{efialtarch} DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' all
|
|
|
2e2de3 |
cd ..
|
|
|
2e2de3 |
|
|
|
2e2de3 |
%install
|
|
|
2e2de3 |
COMMITID=$(cat commit)
|
|
|
2e2de3 |
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
|
|
|
2e2de3 |
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
|
|
|
2e2de3 |
MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
|
|
|
2e2de3 |
if [ -f "%{SOURCE1}" ]; then
|
|
|
2e2de3 |
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
|
|
|
2e2de3 |
fi
|
|
|
2e2de3 |
if [ -f "%{SOURCE2}" ]; then
|
|
|
2e2de3 |
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
|
|
|
2e2de3 |
fi
|
|
|
2e2de3 |
|
|
|
2e2de3 |
cd build-%{efiarch}
|
|
|
2e2de3 |
make ${MAKEFLAGS} \
|
|
|
2e2de3 |
DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \
|
|
|
2e2de3 |
DESTDIR=${RPM_BUILD_ROOT} \
|
|
|
2e2de3 |
install-as-data install-debuginfo install-debugsource
|
|
|
2e2de3 |
cd ..
|
|
|
2e2de3 |
|
|
|
2e2de3 |
cd build-%{efialtarch}
|
|
|
2e2de3 |
setarch linux32 make ${MAKEFLAGS} ARCH=%{efialtarch} \
|
|
|
2e2de3 |
DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
|
|
|
2e2de3 |
DESTDIR=${RPM_BUILD_ROOT} \
|
|
|
2e2de3 |
install-as-data install-debuginfo install-debugsource
|
|
|
2e2de3 |
cd ..
|
|
|
2e2de3 |
|
|
|
2e2de3 |
%files
|
|
|
2e2de3 |
%license COPYRIGHT
|
|
|
2e2de3 |
%dir %{shimrootdir}
|
|
|
2e2de3 |
%dir %{shimversiondir}
|
|
|
2e2de3 |
%dir %{shimdir}
|
|
|
2e2de3 |
%{shimdir}/*.efi
|
|
|
2e2de3 |
%{shimdir}/*.hash
|
|
|
2e2de3 |
|
|
|
2e2de3 |
%files -n shim-unsigned-%{efialtarch}
|
|
|
2e2de3 |
%license COPYRIGHT
|
|
|
2e2de3 |
%dir %{shimrootdir}
|
|
|
2e2de3 |
%dir %{shimversiondir}
|
|
|
2e2de3 |
%dir %{shimaltdir}
|
|
|
2e2de3 |
%{shimaltdir}/*.efi
|
|
|
2e2de3 |
%{shimaltdir}/*.hash
|
|
|
2e2de3 |
|
|
|
2e2de3 |
%files debuginfo -f build-%{efiarch}/debugfiles.list
|
|
|
2e2de3 |
|
|
|
2e2de3 |
%files -n shim-unsigned-%{efialtarch}-debuginfo -f build-%{efialtarch}/debugfiles.list
|
|
|
2e2de3 |
|
|
|
2e2de3 |
%files debugsource -f build-%{efiarch}/debugsource.list
|
|
|
2e2de3 |
|
|
|
2e2de3 |
%changelog
|
|
|
2e2de3 |
* Fri Jul 20 2018 Peter Jones <pjones@redhat.com> - 15-1
|
|
|
2e2de3 |
- Update to shim 15
|
|
|
2e2de3 |
|
|
|
2e2de3 |
* Tue Sep 19 2017 Peter Jones <pjones@redhat.com> - 13-3
|
|
|
2e2de3 |
- Actually update to the *real* 13 final.
|
|
|
2e2de3 |
Related: rhbz#1489604
|
|
|
2e2de3 |
|
|
|
2e2de3 |
* Thu Aug 31 2017 Peter Jones <pjones@redhat.com> - 13-2
|
|
|
2e2de3 |
- Actually update to 13 final.
|
|
|
2e2de3 |
|
|
|
2e2de3 |
* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-1
|
|
|
2e2de3 |
- Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one.
|
|
|
2e2de3 |
- This will (eventually) supersede what's in the "shim" package so we can
|
|
|
2e2de3 |
make "shim" hold the signed one, which will confuse fewer people.
|