From 5cf28a5edceff22c4deecc56291f1aaa1391a5c4 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 19 2015 16:00:07 +0000 Subject: import shim-signed-0.9-2.el7 --- diff --git a/.gitignore b/.gitignore index aa30530..0c69253 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ -SOURCES/shim.efi +SOURCES/mokutil-0.2.0.tar.gz +SOURCES/shimaa64.efi +SOURCES/shimx64.efi diff --git a/.shim-signed.metadata b/.shim-signed.metadata index 4fa034c..0af18e1 100644 --- a/.shim-signed.metadata +++ b/.shim-signed.metadata @@ -1 +1,3 @@ -1ed0450060202cea44d69a503da1b33004a963dc SOURCES/shim.efi +ef680b489eb689a390ed2e1470eaaf2682ad5072 SOURCES/mokutil-0.2.0.tar.gz +d20530c9661508272d70055c1c00bedd91c7fe7b SOURCES/shimaa64.efi +3f24dd838c5c9e35b104fa2f3b74ac6a5bf92fd2 SOURCES/shimx64.efi diff --git a/README.debrand b/README.debrand deleted file mode 100644 index 01c46d2..0000000 --- a/README.debrand +++ /dev/null @@ -1,2 +0,0 @@ -Warning: This package was configured for automatic debranding, but the changes -failed to apply. diff --git a/SOURCES/0001-Fix-a-potential-buffer-overflow.patch b/SOURCES/0001-Fix-a-potential-buffer-overflow.patch new file mode 100644 index 0000000..74a1111 --- /dev/null +++ b/SOURCES/0001-Fix-a-potential-buffer-overflow.patch @@ -0,0 +1,36 @@ +From d6e25f3f02a3be47a009032370899d9b7c527bbd Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Thu, 16 Jul 2015 16:09:46 -0400 +Subject: [PATCH 1/2] Fix a potential buffer overflow. + +Signed-off-by: Peter Jones +--- + mokutil-0.2.0/src/mokutil.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/mokutil-0.2.0/src/mokutil.c b/mokutil-0.2.0/src/mokutil.c +index e7ea08f..44c8b72 100644 +--- a/mokutil-0.2.0/src/mokutil.c ++++ b/mokutil-0.2.0/src/mokutil.c +@@ -1100,7 +1100,7 @@ set_validation (uint32_t state) + MokSBVar sbvar; + char *password = NULL; + int pw_len; +- efi_char16_t efichar_pass[SB_PASSWORD_MAX]; ++ efi_char16_t efichar_pass[SB_PASSWORD_MAX+1]; + int ret = -1; + + printf ("password length: %d~%d\n", SB_PASSWORD_MIN, SB_PASSWORD_MAX); +@@ -1114,8 +1114,7 @@ set_validation (uint32_t state) + efichar_from_char (efichar_pass, password, + SB_PASSWORD_MAX * sizeof(efi_char16_t)); + +- memcpy(sbvar.password, efichar_pass, +- SB_PASSWORD_MAX * sizeof(efi_char16_t)); ++ memcpy(sbvar.password, efichar_pass, sizeof (sbvar.password)); + + sbvar.mok_sb_state = state; + +-- +2.4.3 + diff --git a/SOURCES/0002-Avoid-a-signed-comparison-error.patch b/SOURCES/0002-Avoid-a-signed-comparison-error.patch new file mode 100644 index 0000000..d190c76 --- /dev/null +++ b/SOURCES/0002-Avoid-a-signed-comparison-error.patch @@ -0,0 +1,26 @@ +From 32a43bf51057e1f9adf0c49cc5246653ae9aeff1 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Thu, 16 Jul 2015 16:13:42 -0400 +Subject: [PATCH 2/2] Avoid a signed comparison error. + +Signed-off-by: Peter Jones +--- + mokutil-0.2.0/src/mokutil.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mokutil-0.2.0/src/mokutil.c b/mokutil-0.2.0/src/mokutil.c +index 44c8b72..ec7b044 100644 +--- a/mokutil-0.2.0/src/mokutil.c ++++ b/mokutil-0.2.0/src/mokutil.c +@@ -1201,7 +1201,7 @@ test_key (const char *key_file) + } + + read_size = read (fd, key, buf.st_size); +- if (read_size < 0 || read_size != buf.st_size) { ++ if (read_size < 0 || read_size != (int64_t)buf.st_size) { + fprintf (stderr, "Failed to read %s\n", key_file); + goto error; + } +-- +2.4.3 + diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec index d03a22d..a45eea8 100644 --- a/SPECS/shim-signed.spec +++ b/SPECS/shim-signed.spec @@ -1,19 +1,45 @@ Name: shim-signed -Version: 0.7 -Release: 8%{?dist} +Version: 0.9 +Release: 2%{?dist} Summary: First-stage UEFI bootloader Provides: shim = %{version}-%{release} -%define unsigned_release 8%{?dist} +%define unsigned_release 1.el7 License: BSD URL: http://www.codon.org.uk/~mjg59/shim/ -Source0: shim.efi -Source1: BOOT.CSV -Source2: secureboot.cer -Source3: securebootca.cer +# incorporate mokutil for packaging simplicity +%global mokutil_version 0.2.0 +Source0: https://github.com/lcp/mokutil/archive/mokutil-%{mokutil_version}.tar.gz +Patch0001: 0001-Fix-a-potential-buffer-overflow.patch +Patch0002: 0002-Avoid-a-signed-comparison-error.patch + +Source1: shimx64.efi +Source2: shimaa64.efi +Source3: secureboot.cer +Source4: securebootca.cer +Source5: BOOT.CSV + +%ifarch x86_64 +%global efiarch X64 +%global efiarchlc x64 +%global shimsrc %{SOURCE1} +%endif +%ifarch aarch64 +%global efiarch AA64 +%global efiarchlc aa64 +%global shimsrc %{SOURCE2} +%endif +%define unsigned_dir %{_datadir}/shim/%{efiarchlc}-%{version}-%{unsigned_release}/ -BuildRequires: shim-unsigned = %{version}-%{unsigned_release} +BuildRequires: git +BuildRequires: openssl-devel openssl BuildRequires: pesign >= 0.106-5%{dist} +BuildRequires: efivar-devel +# BuildRequires: shim-unsigned = %{version}-%{unsigned_release} +BuildRequires: shim-unsigned = %{version}-%{unsigned_release} + +# for mokutil's configure +BuildRequires: autoconf automake # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not # compatible with SysV (there's no red zone under UEFI) and there isn't a @@ -26,15 +52,24 @@ Provides: bundled(openssl) = 0.9.8zb # Adding further platforms will require adding appropriate relocation code. ExclusiveArch: x86_64 aarch64 -%global debug_package %{nil} +%define debug_package \ +%ifnarch noarch\ +%global __debug_package 1\ +%package -n mokutil-debuginfo\ +Summary: Debug information for package %{name}\ +Group: Development/Debug\ +AutoReqProv: 0\ +%description -n mokutil-debuginfo\ +This package provides debug information for package %{name}.\ +Debug information is useful when developing applications that use this\ +package or when debugging this package.\ +%files -n mokutil-debuginfo -f debugfiles.list\ +%defattr(-,root,root)\ +%endif\ +%{nil} # Figure out the right file path to use -%if 0%{?rhel} -%global efidir redhat -%endif -%if 0%{?fedora} -%global efidir fedora -%endif +%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/')) %define ca_signed_arches x86_64 %define rh_signed_arches x86_64 aarch64 @@ -46,8 +81,7 @@ the UEFI signing service. %package -n shim Summary: First-stage UEFI bootloader -Requires: shim-unsigned = %{version}-%{unsigned_release} -Requires: mokutil = %{version}-%{unsigned_release} +Requires: mokutil = %{version}-%{release} Provides: shim-signed = %{version}-%{release} Obsoletes: shim-signed < %{version}-%{release} @@ -56,26 +90,39 @@ Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments. This package contains the version signed by the UEFI signing service. +%package -n mokutil +Summary: Utilities for managing Secure Boot/MoK keys. + +%description -n mokutil +Utilities for managing the "Machine's Own Keys" list. + %prep -cd %{_builddir} -rm -rf shim-signed-%{version} -mkdir shim-signed-%{version} +%setup -T -c -n shim-signed-%{version} +%setup -q -D -a 0 -n shim-signed-%{version} -c +#%%setup -T -D -n shim-signed-%{version} +git init +git config user.email "example@example.com" +git config user.name "rpmbuild -bp" +git add . +git commit -a -q -m "%{version} baseline." +git am --ignore-whitespace %{patches} shim.hash -if ! cmp shim.hash %{_datadir}/shim/shim.hash ; then +pesign -i %{shimsrc} -h -P > shim.hash +if ! cmp shim.hash %{unsigned_dir}shim.hash ; then echo Invalid signature\! > /dev/stderr exit 1 fi -cp %{SOURCE0} shim.efi +cp %{shimsrc} shim.efi %endif %ifarch %{rh_signed_arches} -%pesign -s -i %{_datadir}/shim/shim.efi -a %{SOURCE3} -c %{SOURCE2} -n redhatsecureboot301 -o shim-%{efidir}.efi +%pesign -s -i %{unsigned_dir}shim.efi -a %{SOURCE4} -c %{SOURCE3} -n redhatsecureboot301 -o shim-%{efidir}.efi %endif %ifarch %{rh_signed_arches} %ifnarch %{ca_signed_arches} @@ -83,32 +130,84 @@ cp shim-%{efidir}.efi shim.efi %endif %endif -%pesign -s -i %{_datadir}/shim/MokManager.efi -o MokManager.efi -a %{SOURCE3} -c %{SOURCE2} -n redhatsecureboot301 -%pesign -s -i %{_datadir}/shim/fallback.efi -o fallback.efi -a %{SOURCE3} -c %{SOURCE2} -n redhatsecureboot301 +%pesign -s -i %{unsigned_dir}MokManager.efi -o MokManager.efi -a %{SOURCE4} -c %{SOURCE3} -n redhatsecureboot301 +%pesign -s -i %{unsigned_dir}fallback.efi -o fallback.efi -a %{SOURCE4} -c %{SOURCE3} -n redhatsecureboot301 + +cd mokutil-%{mokutil_version} +./autogen.sh +%configure +make %{?_smp_mflags} %install rm -rf $RPM_BUILD_ROOT -cd shim-signed-%{version} install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/ install -m 0644 shim.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi install -m 0644 shim-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim-%{efidir}.efi install -m 0644 MokManager.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi -install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV +install -m 0644 %{SOURCE5} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/ -install -m 0644 shim.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTX64.EFI +install -m 0644 shim.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI install -m 0644 fallback.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fallback.efi +cd mokutil-%{mokutil_version} +make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install + %files -n shim /boot/efi/EFI/%{efidir}/shim.efi /boot/efi/EFI/%{efidir}/shim-%{efidir}.efi /boot/efi/EFI/%{efidir}/MokManager.efi /boot/efi/EFI/%{efidir}/BOOT.CSV -/boot/efi/EFI/BOOT/BOOTX64.EFI +/boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI /boot/efi/EFI/BOOT/fallback.efi +%files -n mokutil +%{!?_licensedir:%global license %%doc} +%license mokutil-%{mokutil_version}/COPYING +%doc mokutil-%{mokutil_version}/README +%{_bindir}/mokutil +%{_mandir}/man1/* + %changelog -* Thu Oct 16 2014 Peter Jones - 0.7-8 +* Mon Jul 20 2015 Peter Jones - 0.9-2 +- Apparently I'm *never* going to learn to build this in the right target + the first time through. + Related: rhbz#1100048 + +* Mon Jun 29 2015 Peter Jones - 0.9-0.1 +- Bump version for 0.9 + Also use mokutil-0.3.0 + Related: rhbz#1100048 + +* Tue Jun 23 2015 Peter Jones - 0.7-14.1 +- Fix mokutil_version usage. + Related: rhbz#1100048 + +* Mon Jun 22 2015 Peter Jones - 0.7-14 +- Pull in aarch64 build so they can compose that tree. + (-14 to match -unsigned) + Related: rhbz#1100048 + +* Wed Feb 25 2015 Peter Jones - 0.7-12 +- Fix some minor build bugs on Aarch64 + Related: rhbz#1190191 + +* Tue Feb 24 2015 Peter Jones - 0.7-11 +- Fix section loading on Aarch64 + Related: rhbz#1190191 + +* Wed Dec 17 2014 Peter Jones - 0.7-10 +- Rebuild for Aarch64 to get \EFI\BOOT\BOOTAA64.EFI named right. + (I managed to fix the inputs but not the outputs in -9.) + Related: rhbz#1100048 + +* Wed Dec 17 2014 Peter Jones - 0.7-9 +- Rebuild for Aarch64 to get \EFI\BOOT\BOOTAA64.EFI named right. + Related: rhbz#1100048 + +* Tue Oct 21 2014 Peter Jones - 0.7-8 +- Build for aarch64 as well + Related: rhbz#1100048 - out-of-bounds memory read flaw in DHCPv6 packet processing Resolves: CVE-2014-3675 - heap-based buffer overflow flaw in IPv6 address parsing @@ -116,6 +215,15 @@ install -m 0644 fallback.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fallback.efi - memory corruption flaw when processing Machine Owner Keys (MOKs) Resolves: CVE-2014-3677 +* Tue Sep 23 2014 Peter Jones - 0.7-7 +- Make sure we use the right keys on Aarch64. + (It's only a demo at this stage.) + Related: rhbz#1100048 + +* Tue Sep 23 2014 Peter Jones - 0.7-6 +- Add ARM Aarch64. + Related: rhbz#1100048 + * Thu Feb 27 2014 Peter Jones - 0.7-5.2 - Get the right signatures on shim-redhat.efi Related: rhbz#1064449