diff --git a/.gitignore b/.gitignore index 9b85752..6b84d7a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/shim-15.4.tar.bz2 +SOURCES/shim-15.6.tar.bz2 diff --git a/.shim-unsigned-x64.metadata b/.shim-unsigned-x64.metadata index 1a84976..b5fa713 100644 --- a/.shim-unsigned-x64.metadata +++ b/.shim-unsigned-x64.metadata @@ -1 +1 @@ -d70485792a300bfa66f551adf7ae766451dfe7c0 SOURCES/shim-15.4.tar.bz2 +3df0ab5cefc74fdf865cb36aea0e923cb4b6b3ed SOURCES/shim-15.6.tar.bz2 diff --git a/SOURCES/0001-Fix-a-broken-file-header-on-ia32.patch b/SOURCES/0001-Fix-a-broken-file-header-on-ia32.patch deleted file mode 100644 index 1fbcb33..0000000 --- a/SOURCES/0001-Fix-a-broken-file-header-on-ia32.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 1bea91ba72165d97c3b453cf769cb4bc5c07207a Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 31 Mar 2021 14:54:52 -0400 -Subject: [PATCH] Fix a broken file header on ia32 - -Commit c6281c6a195edee61185 needs to have included a ". = ALIGN(4096)" -directive before .reloc, but fails to do so. - -As a result, binutils, which does not care about the actual binary -format's constraints in any way, does not enforce the section alignment, -and it will not load. - -Signed-off-by: Peter Jones ---- - elf_ia32_efi.lds | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/elf_ia32_efi.lds b/elf_ia32_efi.lds -index 742e0a47a73..497a3a15265 100644 ---- a/elf_ia32_efi.lds -+++ b/elf_ia32_efi.lds -@@ -15,6 +15,7 @@ SECTIONS - *(.gnu.linkonce.t.*) - _etext = .; - } -+ . = ALIGN(4096); - .reloc : - { - *(.reloc) --- -2.30.2 - diff --git a/SOURCES/dbx.esl b/SOURCES/dbx.esl new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/SOURCES/dbx.esl diff --git a/SOURCES/sbat.redhat.csv b/SOURCES/sbat.redhat.csv index bc47dae..2135543 100644 --- a/SOURCES/sbat.redhat.csv +++ b/SOURCES/sbat.redhat.csv @@ -1 +1 @@ -shim.redhat,1,Red Hat,shim,15.4-4,secalert@redhat.com +shim.redhat,1,Red Hat Inc,shim,15.5,secalert@redhat.com diff --git a/SOURCES/shim-find-debuginfo.sh b/SOURCES/shim-find-debuginfo.sh index d656fc9..7e882ff 100755 --- a/SOURCES/shim-find-debuginfo.sh +++ b/SOURCES/shim-find-debuginfo.sh @@ -20,9 +20,9 @@ fi findsource() { ( - cd "${RPM_BUILD_ROOT}" - find usr/src/debug/ -type d | sed -e "s,^,%dir /," | sort -u | tac - find usr/src/debug/ -type f | sed -e "s,^,/," | sort -u | tac + cd ${RPM_BUILD_ROOT} + find usr/src/debug/ -type d | sed "s,^,%dir /," + find usr/src/debug/ -type f | sed "s,^,/," ) } @@ -32,12 +32,9 @@ finddebug() declare -a dirs=() declare -a files=() declare -a excludes=() - declare -a tmp=() - pushd "${RPM_BUILD_ROOT}" >/dev/null 2>&1 - - mapfile -t tmp < <(find usr/lib/debug/ -type f -iname "*.efi.debug") - for x in "${tmp[@]}" ; do + pushd ${RPM_BUILD_ROOT} >/dev/null 2>&1 + for x in $(find usr/lib/debug/ -type f -iname *.efi.debug); do if ! [ -e "${x}" ]; then break fi @@ -60,10 +57,8 @@ finddebug() excludes[${#excludes[@]}]=${x%%.debug} fi done - for x in "${files[@]}" ; do - declare name - - name=$(dirname "/${x}") + for x in ${files[@]} ; do + declare name=$(dirname /${x}) while [ "${name}" != "/" ]; do case "${name}" in "/usr/lib/debug"|"/usr/lib"|"/usr") @@ -72,24 +67,24 @@ finddebug() dirs[${#dirs[@]}]=${name} ;; esac - name=$(dirname "${name}") + name=$(dirname ${name}) done done popd >/dev/null 2>&1 - for x in "${dirs[@]}" ; do + for x in ${dirs[@]} ; do echo "%dir ${x}" done | sort | uniq - for x in "${files[@]}" ; do + for x in ${files[@]} ; do echo "/${x}" done | sort | uniq - for x in "${excludes[@]}" ; do + for x in ${excludes[@]} ; do echo "%exclude /${x}" done } -findsource > "build-${mainarch}/debugsource.list" -finddebug "${mainarch}" > "build-${mainarch}/debugfiles.list" +findsource > build-${mainarch}/debugsource.list +finddebug ${mainarch} > build-${mainarch}/debugfiles.list if [ -v altarch ]; then - finddebug "${altarch}" > "build-${altarch}/debugfiles.list" + finddebug ${altarch} > build-${altarch}/debugfiles.list fi diff --git a/SOURCES/shim.patches b/SOURCES/shim.patches new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/SOURCES/shim.patches diff --git a/SPECS/shim-unsigned-x64.spec b/SPECS/shim-unsigned-x64.spec index 32435b7..af8e455 100644 --- a/SPECS/shim-unsigned-x64.spec +++ b/SPECS/shim-unsigned-x64.spec @@ -1,6 +1,13 @@ %global pesign_vre 0.106-1 +%global gnuefi_vre 1:3.0.5-6 %global openssl_vre 1.0.2j +%global debug_package %{nil} +%global __debug_package 1 +%global _binaries_in_noarch_packages_terminate_build 0 +%global __debug_install_post %{SOURCE100} x64 ia32 +%undefine _debuginfo_subpackages + %global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/')) %global shimrootdir %{_datadir}/shim/ %global shimversiondir %{shimrootdir}/%{version}-%{release} @@ -9,32 +16,24 @@ %global efialtarch ia32 %global shimaltdir %{shimversiondir}/%{efialtarch} -%global debug_package %{nil} -%global __debug_package 1 -%global _binaries_in_noarch_packages_terminate_build 0 -%global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch} -%undefine _debuginfo_subpackages - -# currently here's what's in our dbx: nothing -%global dbxfile %{nil} - Name: shim-unsigned-%{efiarch} -Version: 15.4 -Release: 4%{?dist} +Version: 15.6 +Release: 1.el8 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 License: BSD URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 Source1: redhatsecurebootca5.cer -%if 0%{?dbxfile} -Source2: %{dbxfile} -%endif +# currently here's what's in our dbx: +# nothing. +Source2: dbx.esl Source3: sbat.redhat.csv +Source4: shim.patches Source100: shim-find-debuginfo.sh -Patch0001: 0001-Fix-a-broken-file-header-on-ia32.patch +%include %{SOURCE4} BuildRequires: gcc make BuildRequires: elfutils-libelf-devel @@ -68,6 +67,7 @@ Provides: bundled(openssl) = %{openssl_vre} %package debuginfo Summary: Debug information for shim-unsigned-%{efiarch} +Requires: %{name}-debugsource = %{version}-%{release} Group: Development/Debug AutoReqProv: 0 BuildArch: noarch @@ -78,6 +78,7 @@ BuildArch: noarch %package -n shim-unsigned-%{efialtarch}-debuginfo Summary: Debug information for shim-unsigned-%{efialtarch} Group: Development/Debug +Requires: %{name}-debugsource = %{version}-%{release} AutoReqProv: 0 BuildArch: noarch @@ -94,7 +95,7 @@ BuildArch: noarch %debug_desc %prep -%autosetup -S git -n shim-%{version} +%autosetup -S git_am -n shim-%{version} git config --unset user.email git config --unset user.name mkdir build-%{efiarch} @@ -107,14 +108,12 @@ MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_SHIM_HASH=true " MAKEFLAGS+="%{_smp_mflags}" -if [ -f "%{SOURCE1}" ]; then +if [ -s "%{SOURCE1}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" fi -%if 0%{?dbxfile} -if [ -f "%{SOURCE2}" ]; then +if [ -s "%{SOURCE2}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" fi -%endif cd build-%{efiarch} make ${MAKEFLAGS} \ @@ -123,8 +122,7 @@ make ${MAKEFLAGS} \ cd .. cd build-%{efialtarch} -setarch linux32 -B make ${MAKEFLAGS} \ - ARCH=%{efialtarch} \ +setarch linux32 -B make ${MAKEFLAGS} ARCH=%{efialtarch} \ DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \ all cd .. @@ -133,15 +131,13 @@ cd .. COMMITID=$(cat commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " -MAKEFLAGS+="ENABLE_SHIM_HASH=true " -if [ -f "%{SOURCE1}" ]; then +MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " +if [ -s "%{SOURCE1}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" fi -%if 0%{?dbxfile} -if [ -f "%{SOURCE2}" ]; then +if [ -s "%{SOURCE2}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" fi -%endif cd build-%{efiarch} make ${MAKEFLAGS} \ @@ -151,8 +147,7 @@ make ${MAKEFLAGS} \ cd .. cd build-%{efialtarch} -setarch linux32 make ${MAKEFLAGS} \ - ARCH=%{efialtarch} \ +setarch linux32 make ${MAKEFLAGS} ARCH=%{efialtarch} \ DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \ DESTDIR=${RPM_BUILD_ROOT} \ install-as-data install-debuginfo install-debugsource @@ -163,18 +158,18 @@ cd .. %dir %{shimrootdir} %dir %{shimversiondir} %dir %{shimdir} +%{shimdir}/*.CSV %{shimdir}/*.efi %{shimdir}/*.hash -%{shimdir}/*.CSV %files -n shim-unsigned-%{efialtarch} %license COPYRIGHT %dir %{shimrootdir} %dir %{shimversiondir} %dir %{shimaltdir} +%{shimaltdir}/*.CSV %{shimaltdir}/*.efi %{shimaltdir}/*.hash -%{shimaltdir}/*.CSV %files debuginfo -f build-%{efiarch}/debugfiles.list @@ -183,63 +178,49 @@ cd .. %files debugsource -f build-%{efiarch}/debugsource.list %changelog -* Thu Apr 01 2021 Peter Jones - 15.4-4 -- Fix the sbat data to actually match /this/ product. - Resolves: CVE-2020-14372 - Resolves: CVE-2020-25632 - Resolves: CVE-2020-25647 - Resolves: CVE-2020-27749 - Resolves: CVE-2020-27779 - Resolves: CVE-2021-20225 - Resolves: CVE-2021-20233 - -* Wed Mar 31 2021 Peter Jones - 15.4-3 -- Build with the correct certificate trust list for this OS. - Resolves: CVE-2020-14372 - Resolves: CVE-2020-25632 - Resolves: CVE-2020-25647 - Resolves: CVE-2020-27749 - Resolves: CVE-2020-27779 - Resolves: CVE-2021-20225 - Resolves: CVE-2021-20233 - -* Wed Mar 31 2021 Peter Jones - 15.4-2 -- Fix the ia32 build. - Resolves: CVE-2020-14372 - Resolves: CVE-2020-25632 - Resolves: CVE-2020-25647 - Resolves: CVE-2020-27749 - Resolves: CVE-2020-27779 - Resolves: CVE-2021-20225 - Resolves: CVE-2021-20233 - -* Tue Mar 30 2021 Peter Jones - 15.4-1 -- Update to shim 15.4 - - Support for revocations via the ".sbat" section and SBAT EFI variable - - A new unit test framework and a bunch of unit tests - - No external gnu-efi dependency - - Better CI - Resolves: CVE-2020-14372 - Resolves: CVE-2020-25632 - Resolves: CVE-2020-25647 - Resolves: CVE-2020-27749 - Resolves: CVE-2020-27779 - Resolves: CVE-2021-20225 - Resolves: CVE-2021-20233 - -* Wed Mar 24 2021 Peter Jones - 15.3-0~1 -- Update to shim 15.3 - - Support for revocations via the ".sbat" section and SBAT EFI variable - - A new unit test framework and a bunch of unit tests - - No external gnu-efi dependency - - Better CI - Resolves: CVE-2020-14372 - Resolves: CVE-2020-25632 - Resolves: CVE-2020-25647 - Resolves: CVE-2020-27749 - Resolves: CVE-2020-27779 - Resolves: CVE-2021-20225 - Resolves: CVE-2021-20233 +* Wed Jun 01 2022 Peter Jones - 15.6-1.el8 +- Update to shim-15.6 + Resolves: CVE-2022-28737 + +* Thu Sep 17 2020 Peter Jones - 15-9.el8 +- Fix an incorrect allocation size. + Related: rhbz#1877253 + +* Thu Jul 30 2020 Peter Jones - 15-8 +- Fix a load-address-dependent forever loop. + Resolves: rhbz#1861977 + Related: CVE-2020-10713 + Related: CVE-2020-14308 + Related: CVE-2020-14309 + Related: CVE-2020-14310 + Related: CVE-2020-14311 + Related: CVE-2020-15705 + Related: CVE-2020-15706 + Related: CVE-2020-15707 + +* Sat Jul 25 2020 Peter Jones - 15-7 +- Implement Lenny's workaround + Related: CVE-2020-10713 + Related: CVE-2020-14308 + Related: CVE-2020-14309 + Related: CVE-2020-14310 + Related: CVE-2020-14311 + +* Fri Jul 24 2020 Peter Jones - 15-5 +- Once more with the MokListRT config table patch added. + Related: CVE-2020-10713 + Related: CVE-2020-14308 + Related: CVE-2020-14309 + Related: CVE-2020-14310 + Related: CVE-2020-14311 + +* Thu Jul 23 2020 Peter Jones - 15-4 +- Rebuild for bug fixes and new signing keys + Related: CVE-2020-10713 + Related: CVE-2020-14308 + Related: CVE-2020-14309 + Related: CVE-2020-14310 + Related: CVE-2020-14311 * Wed Jun 05 2019 Javier Martinez Canillas - 15-3 - Make EFI variable copying fatal only on secureboot enabled systems