diff --git a/.shim-signed.metadata b/.shim-signed.metadata index 384dd1d..4fa034c 100644 --- a/.shim-signed.metadata +++ b/.shim-signed.metadata @@ -1 +1 @@ -3fb967f4f5604474e74fa9e7b55ffbc21072b5c2 SOURCES/shim.efi +1ed0450060202cea44d69a503da1b33004a963dc SOURCES/shim.efi diff --git a/SOURCES/BOOT.CSV b/SOURCES/BOOT.CSV index 2599e60..fd5fb6d 100644 Binary files a/SOURCES/BOOT.CSV and b/SOURCES/BOOT.CSV differ diff --git a/SOURCES/centos.cer b/SOURCES/centos.cer deleted file mode 100644 index 00a5580..0000000 Binary files a/SOURCES/centos.cer and /dev/null differ diff --git a/SOURCES/secureboot.cer b/SOURCES/secureboot.cer new file mode 100644 index 0000000..4ff8b79 Binary files /dev/null and b/SOURCES/secureboot.cer differ diff --git a/SOURCES/securebootca.cer b/SOURCES/securebootca.cer new file mode 100644 index 0000000..b235400 Binary files /dev/null and b/SOURCES/securebootca.cer differ diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec index 9380ce1..d03a22d 100644 --- a/SPECS/shim-signed.spec +++ b/SPECS/shim-signed.spec @@ -1,15 +1,16 @@ Name: shim-signed Version: 0.7 -Release: 5.2%{?dist} +Release: 8%{?dist} Summary: First-stage UEFI bootloader Provides: shim = %{version}-%{release} -%define unsigned_release 5%{?dist} +%define unsigned_release 8%{?dist} License: BSD URL: http://www.codon.org.uk/~mjg59/shim/ Source0: shim.efi Source1: BOOT.CSV -Source2: centos.cer +Source2: secureboot.cer +Source3: securebootca.cer BuildRequires: shim-unsigned = %{version}-%{unsigned_release} BuildRequires: pesign >= 0.106-5%{dist} @@ -18,12 +19,12 @@ BuildRequires: pesign >= 0.106-5%{dist} # compatible with SysV (there's no red zone under UEFI) and there isn't a # POSIX-style C library. # BuildRequires: OpenSSL -Provides: bundled(openssl) = 0.9.8w +Provides: bundled(openssl) = 0.9.8zb # Shim is only required on platforms implementing the UEFI secure boot # protocol. The only one of those we currently wish to support is 64-bit x86. # Adding further platforms will require adding appropriate relocation code. -ExclusiveArch: x86_64 +ExclusiveArch: x86_64 aarch64 %global debug_package %{nil} @@ -35,6 +36,9 @@ ExclusiveArch: x86_64 %global efidir fedora %endif +%define ca_signed_arches x86_64 +%define rh_signed_arches x86_64 aarch64 + %description Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments. This package contains the version signed by @@ -62,27 +66,32 @@ mkdir shim-signed-%{version} %define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}} cd shim-signed-%{version} +%ifarch %{ca_signed_arches} pesign -i %{SOURCE0} -h -P > shim.hash if ! cmp shim.hash %{_datadir}/shim/shim.hash ; then echo Invalid signature\! > /dev/stderr exit 1 fi -pesign -i %{SOURCE0} -o clean.efi -r -u 0 -%pesign -s -i clean.efi -a %{SOURCE2} -c %{SOURCE2} -n redhatsecureboot301 -o tmp.efi -pesign -i tmp.efi -e shim-redhat.sig -rm tmp.efi -pesign -i %{SOURCE0} -o shim.efi -m shim-redhat.sig -u 1 -pesign -i %{SOURCE0} -o tmp.efi -r -u 0 -pesign -i tmp.efi -o shim-redhat.efi -m shim-redhat.sig -%pesign -s -i %{_datadir}/shim/MokManager.efi -o MokManager.efi -a %{SOURCE2} -c %{SOURCE2} -n redhatsecureboot301 -%pesign -s -i %{_datadir}/shim/fallback.efi -o fallback.efi -a %{SOURCE2} -c %{SOURCE2} -n redhatsecureboot301 +cp %{SOURCE0} shim.efi +%endif +%ifarch %{rh_signed_arches} +%pesign -s -i %{_datadir}/shim/shim.efi -a %{SOURCE3} -c %{SOURCE2} -n redhatsecureboot301 -o shim-%{efidir}.efi +%endif +%ifarch %{rh_signed_arches} +%ifnarch %{ca_signed_arches} +cp shim-%{efidir}.efi shim.efi +%endif +%endif + +%pesign -s -i %{_datadir}/shim/MokManager.efi -o MokManager.efi -a %{SOURCE3} -c %{SOURCE2} -n redhatsecureboot301 +%pesign -s -i %{_datadir}/shim/fallback.efi -o fallback.efi -a %{SOURCE3} -c %{SOURCE2} -n redhatsecureboot301 %install rm -rf $RPM_BUILD_ROOT cd shim-signed-%{version} install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/ install -m 0644 shim.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi -install -m 0644 shim-redhat.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim-redhat.efi +install -m 0644 shim-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim-%{efidir}.efi install -m 0644 MokManager.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV @@ -92,15 +101,20 @@ install -m 0644 fallback.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fallback.efi %files -n shim /boot/efi/EFI/%{efidir}/shim.efi -/boot/efi/EFI/%{efidir}/shim-redhat.efi +/boot/efi/EFI/%{efidir}/shim-%{efidir}.efi /boot/efi/EFI/%{efidir}/MokManager.efi /boot/efi/EFI/%{efidir}/BOOT.CSV /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/fallback.efi %changelog -* Fri Jun 20 2014 Karanbir Singh - 0.7-5.2.el7.centos -- Roll in CentOS SB certs +* Thu Oct 16 2014 Peter Jones - 0.7-8 +- out-of-bounds memory read flaw in DHCPv6 packet processing + Resolves: CVE-2014-3675 +- heap-based buffer overflow flaw in IPv6 address parsing + Resolves: CVE-2014-3676 +- memory corruption flaw when processing Machine Owner Keys (MOKs) + Resolves: CVE-2014-3677 * Thu Feb 27 2014 Peter Jones - 0.7-5.2 - Get the right signatures on shim-redhat.efi