From 11f6e10d512be247ec43091a583eabfe627c2930 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jun 25 2015 13:38:13 +0000 Subject: import shim-signed-0.7-12.aa7a --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..414e76c --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/shimaa64.efi +SOURCES/shimx64.efi diff --git a/.shim-signed.metadata b/.shim-signed.metadata new file mode 100644 index 0000000..0310970 --- /dev/null +++ b/.shim-signed.metadata @@ -0,0 +1,2 @@ +e802f589adbf4ad580c420395197fb724f7f915a SOURCES/shimaa64.efi +1ed0450060202cea44d69a503da1b33004a963dc SOURCES/shimx64.efi diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/BOOT.CSV b/SOURCES/BOOT.CSV new file mode 100644 index 0000000..fd5fb6d Binary files /dev/null and b/SOURCES/BOOT.CSV differ diff --git a/SOURCES/secureboot.cer b/SOURCES/secureboot.cer new file mode 100644 index 0000000..4ff8b79 Binary files /dev/null and b/SOURCES/secureboot.cer differ diff --git a/SOURCES/securebootca.cer b/SOURCES/securebootca.cer new file mode 100644 index 0000000..b235400 Binary files /dev/null and b/SOURCES/securebootca.cer differ diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec new file mode 100644 index 0000000..6806c5a --- /dev/null +++ b/SPECS/shim-signed.spec @@ -0,0 +1,236 @@ +Name: shim-signed +Version: 0.7 +Release: 12%{?dist} +Summary: First-stage UEFI bootloader +Provides: shim = %{version}-%{release} +%define unsigned_release 10%{?dist} +ExclusiveArch: aarch64 + +License: BSD +URL: http://www.codon.org.uk/~mjg59/shim/ +Source0: BOOT.CSV +Source1: shimx64.efi +Source2: shimaa64.efi +Source3: secureboot.cer +Source4: securebootca.cer +%ifarch x86_64 +%global efiarch X64 +%global shimsrc %{SOURCE1} +%endif +%ifarch aarch64 +%global efiarch AA64 +%global shimsrc %{SOURCE2} +%endif + +BuildRequires: shim-unsigned = %{version}-%{unsigned_release} +BuildRequires: pesign >= 0.106-5%{dist} + +# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not +# compatible with SysV (there's no red zone under UEFI) and there isn't a +# POSIX-style C library. +# BuildRequires: OpenSSL +Provides: bundled(openssl) = 0.9.8zb + +# Shim is only required on platforms implementing the UEFI secure boot +# protocol. The only one of those we currently wish to support is 64-bit x86. +# Adding further platforms will require adding appropriate relocation code. +ExclusiveArch: x86_64 aarch64 + +%global debug_package %{nil} + +# Figure out the right file path to use +%if 0%{?rhel} +%global efidir redhat +%endif +%if 0%{?fedora} +%global efidir fedora +%endif + +%define ca_signed_arches x86_64 +%define rh_signed_arches x86_64 aarch64 + +%description +Initial UEFI bootloader that handles chaining to a trusted full bootloader +under secure boot environments. This package contains the version signed by +the UEFI signing service. + +%package -n shim +Summary: First-stage UEFI bootloader +Requires: shim-unsigned = %{version}-%{unsigned_release} +Requires: mokutil = %{version}-%{unsigned_release} +Provides: shim-signed = %{version}-%{release} +Obsoletes: shim-signed < %{version}-%{release} + +%description -n shim +Initial UEFI bootloader that handles chaining to a trusted full bootloader +under secure boot environments. This package contains the version signed by +the UEFI signing service. + +%prep +cd %{_builddir} +rm -rf shim-signed-%{version} +mkdir shim-signed-%{version} + +%build +%define vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}} +%define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}} + +cd shim-signed-%{version} +%ifarch %{ca_signed_arches} +pesign -i %{shimsrc} -h -P > shim.hash +if ! cmp shim.hash %{_datadir}/shim/shim.hash ; then + echo Invalid signature\! > /dev/stderr + exit 1 +fi +cp %{shimsrc} shim.efi +%endif +%ifarch %{rh_signed_arches} +%pesign -s -i %{_datadir}/shim/shim.efi -a %{SOURCE4} -c %{SOURCE3} -n redhatsecureboot301 -o shim-%{efidir}.efi +%endif +%ifarch %{rh_signed_arches} +%ifnarch %{ca_signed_arches} +cp shim-%{efidir}.efi shim.efi +%endif +%endif + +%pesign -s -i %{_datadir}/shim/MokManager.efi -o MokManager.efi -a %{SOURCE4} -c %{SOURCE3} -n redhatsecureboot301 +%pesign -s -i %{_datadir}/shim/fallback.efi -o fallback.efi -a %{SOURCE4} -c %{SOURCE3} -n redhatsecureboot301 + +%install +rm -rf $RPM_BUILD_ROOT +cd shim-signed-%{version} +install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/ +install -m 0644 shim.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi +install -m 0644 shim-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim-%{efidir}.efi +install -m 0644 MokManager.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi +install -m 0644 %{SOURCE0} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV + +install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/ +install -m 0644 shim.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI +install -m 0644 fallback.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fallback.efi + +%files -n shim +/boot/efi/EFI/%{efidir}/shim.efi +/boot/efi/EFI/%{efidir}/shim-%{efidir}.efi +/boot/efi/EFI/%{efidir}/MokManager.efi +/boot/efi/EFI/%{efidir}/BOOT.CSV +/boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI +/boot/efi/EFI/BOOT/fallback.efi + +%changelog +* Wed Feb 25 2015 Peter Jones - 0.7-12 +- Fix some minor build bugs on Aarch64 + Related: rhbz#1190191 + +* Tue Feb 24 2015 Peter Jones - 0.7-11 +- Fix section loading on Aarch64 + Related: rhbz#1190191 + +* Wed Dec 17 2014 Peter Jones - 0.7-10 +- Rebuild for Aarch64 to get \EFI\BOOT\BOOTAA64.EFI named right. + (I managed to fix the inputs but not the outputs in -9.) + Related: rhbz#1100048 + +* Wed Dec 17 2014 Peter Jones - 0.7-9 +- Rebuild for Aarch64 to get \EFI\BOOT\BOOTAA64.EFI named right. + Related: rhbz#1100048 + +* Tue Oct 21 2014 Peter Jones - 0.7-8 +- Build for aarch64 as well + Related: rhbz#1100048 +- out-of-bounds memory read flaw in DHCPv6 packet processing + Resolves: CVE-2014-3675 +- heap-based buffer overflow flaw in IPv6 address parsing + Resolves: CVE-2014-3676 +- memory corruption flaw when processing Machine Owner Keys (MOKs) + Resolves: CVE-2014-3677 + +* Tue Sep 23 2014 Peter Jones - 0.7-7 +- Make sure we use the right keys on Aarch64. + (It's only a demo at this stage.) + Related: rhbz#1100048 + +* Tue Sep 23 2014 Peter Jones - 0.7-6 +- Add ARM Aarch64. + Related: rhbz#1100048 + +* Thu Feb 27 2014 Peter Jones - 0.7-5.2 +- Get the right signatures on shim-redhat.efi + Related: rhbz#1064449 + +* Thu Feb 27 2014 Peter Jones - 0.7-5.1 +- Update for signed shim for RHEL 7 + Resolves: rhbz#1064449 + +* Thu Nov 21 2013 Peter Jones - 0.7-5 +- Fix shim-unsigned deps. + Related: rhbz#1032583 + +* Thu Nov 21 2013 Peter Jones - 0.7-4 +- Make dhcp4 work better. + Related: rhbz#1032583 + +* Thu Nov 14 2013 Peter Jones - 0.7-3 +- Make lockdown include UEFI and other KEK/DB entries. + Related: rhbz#1030492 + +* Fri Nov 08 2013 Peter Jones - 0.7-2 +- Handle SetupMode better in lockdown as well + Related: rhbz#996863 + +* Wed Nov 06 2013 Peter Jones - 0.7-1 +- Don't treat SetupMode variable's presence as meaning we're in SetupMode. + Related: rhbz#996863 + +* Wed Nov 06 2013 Peter Jones - 0.6-3 +- Use the correct CA and signer certificates. + Related: rhbz#996863 + +* Thu Oct 31 2013 Peter Jones - 0.6-1 +- Update to 0.6-1 + Resolves: rhbz#1008379 + +* Wed Aug 07 2013 Peter Jones - 0.4-3.2 +- Depend on newer pesign. + Related: rhbz#989442 + +* Tue Aug 06 2013 Peter Jones - 0.4-3.1 +- Rebuild with newer pesign + Related: rhbz#989442 + +* Tue Aug 06 2013 Peter Jones - 0.4-3 +- Update for RHEL signing with early test keys. + Related: rhbz#989442 + +* Thu Jun 20 2013 Peter Jones - 0.4-1 +- Provide a fallback for uninitialized Boot#### and BootOrder + Resolves: rhbz#963359 +- Move all signing from shim-unsigned to here +- properly compare our generated hash from shim-unsigned with the hash of + the signed binary (as opposed to doing it manually) + +* Fri May 31 2013 Peter Jones - 0.2-4.4 +- Re-sign to get alignments that match the new specification. + Resolves: rhbz#963361 + +* Thu Feb 14 2013 Fedora Release Engineering - 0.2-4.3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jan 02 2013 Peter Jones - 0.2-3.3 +- Add obsoletes and provides for earlier shim-signed packages, to cover + the package update cases where previous versions were installed. + Related: rhbz#888026 + +* Mon Dec 17 2012 Peter Jones - 0.2-3.2 +- Make the shim-unsigned dep be on the subpackage. + +* Sun Dec 16 2012 Peter Jones - 0.2-3.1 +- Rebuild to provide "shim" package directly instead of just as a Provides: + +* Sat Dec 15 2012 Peter Jones - 0.2-3 +- Also provide shim-fedora.efi, signed only by the fedora signer. +- Fix the fedora signature on the result to actually be correct. +- Update for shim-unsigned 0.2-3 + +* Mon Dec 03 2012 Peter Jones - 0.2-2 +- Initial build