diff --git a/.gitignore b/.gitignore index 3bb8d68..77ab307 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,9 @@ SOURCES/fbaa64.efi SOURCES/fbia32.efi +SOURCES/fbx64.efi SOURCES/mmaa64.efi SOURCES/mmia32.efi +SOURCES/mmx64.efi SOURCES/mokutil-0.3.0.tar.gz SOURCES/shimaa64.efi SOURCES/shimia32.efi diff --git a/.shim-signed.metadata b/.shim-signed.metadata index 10d71f8..7be0ad2 100644 --- a/.shim-signed.metadata +++ b/.shim-signed.metadata @@ -1,8 +1,10 @@ 937d1eead22e310da65b4592fb218249c0d5041c SOURCES/fbaa64.efi -e27b24b43304e34e37261491842c998baed9689e SOURCES/fbia32.efi +545139dbe10cee868f9b43a93c461ce0de324c9f SOURCES/fbia32.efi +0673c2a55841ea9a035d29f6cdf250085e0924cb SOURCES/fbx64.efi ffa835477c88fae8da32b5cd6ebfe81e2408a67b SOURCES/mmaa64.efi -570e5eeceb268cd9d13e594068ccc61d99a29a9f SOURCES/mmia32.efi +ef4b2c7e5bc3d1ff3f986429dcf77d5915077e03 SOURCES/mmia32.efi +e2965a728149dd3199ee92cbb0bd27c943014177 SOURCES/mmx64.efi 8686e2ab33689a7f71268db3c8dc0a51ba291d93 SOURCES/mokutil-0.3.0.tar.gz 98bcb76ae16cd4b6039a95b7ae700a6164f15d0d SOURCES/shimaa64.efi -9fa2d212a3477d54c9d9a6d066eebc52800f8eb2 SOURCES/shimia32.efi -8d761eaea27ae077d8bcbb79d89f236c4166c004 SOURCES/shimx64.efi +34f10085e5231881d00f30c1bb9f637046f4dfc1 SOURCES/shimia32.efi +01a1e5da0bc7c855477086a223281c38d5a64efe SOURCES/shimx64.efi diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec index 356c4d8..ec09432 100644 --- a/SPECS/shim-signed.spec +++ b/SPECS/shim-signed.spec @@ -3,8 +3,8 @@ # revocation, and aarch64 isn't signed into the UEFI chain anyhow. Name: shim-signed -Version: 15.6 -Release: 3%{?dist}%{?buildid} +Version: 15.8 +Release: 1.el7 Summary: First-stage UEFI bootloader %define unsigned_release 3.el7 @@ -15,16 +15,19 @@ URL: https://github.com/rhboot/shim/ Source0: https://github.com/lcp/mokutil/archive/mokutil-%{mokutil_version}.tar.gz Source1: redhatsecureboot501.cer Source2: redhatsecurebootca5.cer + Source10: shimx64.efi Source11: shimia32.efi Source12: shimaa64.efi Source20: BOOTX64.CSV Source21: BOOTIA32.CSV Source22: BOOTAA64.CSV -Source31: mmaa64.efi -Source32: fbaa64.efi -Source33: mmia32.efi -Source34: fbia32.efi +Source30: mmx64.efi +Source31: mmia32.efi +Source32: mmaa64.efi +Source40: fbx64.efi +Source41: fbia32.efi +Source42: fbaa64.efi Patch0001: 0001-Fix-the-potential-buffer-overflow.patch Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch @@ -60,9 +63,9 @@ BuildRequires: git BuildRequires: openssl-devel openssl BuildRequires: pesign >= 0.106-5%{dist} BuildRequires: efivar-devel -%ifarch x86_64 -BuildRequires: shim-unsigned-%{efiarchlc} = %{version}-%{unsigned_release} -%endif +#%% ifarch x86_64 +#BuildRequires: shim-unsigned-%% {efiarchlc} = %% {version}-%% {unsigned_release} +#%% endif # for mokutil's configure BuildRequires: autoconf automake @@ -155,20 +158,20 @@ cd .. %define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}} %ifarch x86_64 -pesign -i %{shimsrc} -h -P > shim%{efiarchlc}.hash -if ! cmp shim%{efiarchlc}.hash %{unsigned_dir}shim%{efiarchlc}.hash ; then - echo Invalid signature\! > /dev/stderr - echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr - echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr - exit 1 -fi +#pesign -i %% {shimsrc} -h -P > shim%% {efiarchlc}.hash +#if ! cmp shim%% {efiarchlc}.hash %% {unsigned_dir}shim%% {efiarchlc}.hash ; then +# echo Invalid signature\! > /dev/stderr +# echo saved hash is $(cat %% {unsigned_dir}shim%% {efiarchlc}.hash) > /dev/stderr +# echo shim%% {efiarchlc}.efi hash is $(cat shim%% {efiarchlc}.hash) > /dev/stderr +# exit 1 +#fi cp %{shimsrc} shim%{efiarchlc}.efi cp %{shimsrcia32} shimia32.efi %endif %ifarch x86_64 -%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 -o shim%{efiarchlc}-%{efidir}.efi +%pesign -s -i %{SOURCE10} -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 -o shim%{efiarchlc}-%{efidir}.efi %pesign -s -i %{SOURCE11} -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 -o shimia32-%{efidir}.efi %endif @@ -183,16 +186,16 @@ cp shim%{efiarchlc}-%{efidir}.efi shim%{efiarchlc}.efi %endif %ifarch x86_64 -%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 -%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 +%pesign -s -i %{SOURCE30} -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 +%pesign -s -i %{SOURCE40} -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 -%pesign -s -i %{SOURCE33} -o mmia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 -%pesign -s -i %{SOURCE34} -o fbia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 +%pesign -s -i %{SOURCE31} -o mmia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 +%pesign -s -i %{SOURCE41} -o fbia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 %endif %ifarch aarch64 -%pesign -s -i %{SOURCE31} -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 -%pesign -s -i %{SOURCE32} -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 +%pesign -s -i %{SOURCE32} -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 +%pesign -s -i %{SOURCE42} -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 %endif cd mokutil-%{mokutil_version} @@ -267,6 +270,10 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install %{_datadir}/bash-completion/completions/mokutil %changelog +* Thu Mar 28 2024 Peter Jones - 15.8-1 +- Update to shim-15.8 for CVE-2023-40547 + Resolves: RHEL-11254 + * Mon Apr 17 2023 Robbie Harwood - 15.6-3 - Restore old ia32 for compatibility - Resolves: #2007084