|
 |
e59b1a |
%global debug_package %{nil}
|
|
|
e59b1a |
%global __brp_mangle_shebangs_exclude_from_file %{expand:%{_builddir}/shim-%{efi_arch}-%{version}-%{release}.%{_target_cpu}-shebangs.txt}
|
|
|
e59b1a |
%global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
|
|
|
e59b1a |
%global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
|
|
|
e59b1a |
|
|
|
e59b1a |
%global bootcsvaa64 %{expand:%{SOURCE10}}
|
|
|
e59b1a |
%global bootcsvx64 %{expand:%{SOURCE12}}
|
|
|
e59b1a |
#%%global bootcsvarm %%{expand:%%{SOURCE13}}
|
|
|
e59b1a |
|
|
|
e59b1a |
%global shimefiaa64 %{expand:%{SOURCE20}}
|
|
|
e59b1a |
%global shimefix64 %{expand:%{SOURCE22}}
|
|
|
e59b1a |
#%%global shimefiarm %%{expand:%%{SOURCE23}
|
|
|
e59b1a |
|
|
|
e59b1a |
%global fbefiaa64 %{expand:%{SOURCE30}}
|
|
|
e59b1a |
%global fbefix64 %{expand:%{SOURCE32}}
|
|
|
e59b1a |
#%%global fbefiarm %%{expand:%%{SOURCE33}
|
|
|
e59b1a |
|
|
|
e59b1a |
%global mmefiaa64 %{expand:%{SOURCE40}}
|
|
|
e59b1a |
%global mmefix64 %{expand:%{SOURCE42}}
|
|
|
e59b1a |
#%%global mmefiarm %%{expand:%%{SOURCE43}
|
|
|
e59b1a |
|
|
|
e59b1a |
%global shimveraa64 15-6.el9
|
|
|
e59b1a |
%global shimverx64 15.5-1.el9
|
|
|
e59b1a |
#%%global shimverarm 15-1.el8
|
|
|
e59b1a |
|
|
|
e59b1a |
%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
|
|
|
e59b1a |
%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64
|
|
|
e59b1a |
#%%global shimdirarm %%{_datadir}/shim/%%{shimverarm}/arm
|
|
|
e59b1a |
|
|
|
e59b1a |
%global unsignedaa64 shim-unsigned-aarch64
|
|
|
e59b1a |
%global unsignedx64 shim-unsigned-x64
|
|
|
e59b1a |
#%%global unsignedarm shim-unsigned-arm
|
|
|
e59b1a |
|
|
|
e59b1a |
%global bootcsv %{expand:%{bootcsv%{efi_arch}}}
|
|
|
e59b1a |
%global bootcsvalt %{expand:%{bootcsv%{?efi_alt_arch}}}
|
|
|
e59b1a |
%global shimefi %{expand:%{shimefi%{efi_arch}}}
|
|
|
e59b1a |
%global shimefialt %{expand:%{shimefi%{?efi_alt_arch}}}
|
|
|
e59b1a |
%global shimver %{expand:%{shimver%{efi_arch}}}
|
|
|
e59b1a |
%global shimveralt %{expand:%{shimver%{?efi_alt_arch}}}
|
|
|
e59b1a |
%global shimdir %{expand:%{shimdir%{efi_arch}}}
|
|
|
e59b1a |
%global shimdiralt %{expand:%{shimdir%{?efi_alt_arch}}}
|
|
|
e59b1a |
%global fbefi %{expand:%{fbefi%{efi_arch}}}
|
|
|
e59b1a |
%global fbefialt %{expand:%{fbefi%{?efi_alt_arch}}}
|
|
|
e59b1a |
%global mmefi %{expand:%{mmefi%{efi_arch}}}
|
|
|
e59b1a |
%global mmefialt %{expand:%{mmefi%{?efi_alt_arch}}}
|
|
|
e59b1a |
|
|
|
e59b1a |
%global unsignednone shim-unsigned-none
|
|
|
e59b1a |
%global unsigned %{expand:%%{unsigned%{efi_arch}}}
|
|
|
e59b1a |
%global unsignedalt %{expand:%%{unsigned%{efi_alt_arch}}}
|
|
|
e59b1a |
|
|
|
e59b1a |
%define define_pkg(a:p:) \
|
|
|
e59b1a |
%{expand:%%package -n shim-%{-a*}} \
|
|
|
e59b1a |
Summary: First-stage UEFI bootloader \
|
|
|
e59b1a |
Requires: mokutil >= 1:0.3.0-1 \
|
|
|
e59b1a |
Requires: efi-filesystem \
|
|
|
e59b1a |
Provides: shim-signed-%{-a*} = %{version}-%{release} \
|
|
|
e59b1a |
Requires: dbxtool >= 0.6-3 \
|
|
|
e59b1a |
%{expand:%%if 0%%{-p*} \
|
|
|
e59b1a |
Provides: shim = %{version}-%{release} \
|
|
|
e59b1a |
Provides: shim-signed = %{version}-%{release} \
|
|
|
e59b1a |
Obsoletes: shim-signed < %{version}-%{release} \
|
|
|
e59b1a |
Obsoletes: shim < %{version}-%{release} \
|
|
|
e59b1a |
%%endif} \
|
|
|
e59b1a |
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI \
|
|
|
e59b1a |
# is not compatible with SysV (there's no red zone under UEFI) and \
|
|
|
e59b1a |
# there isn't a POSIX-style C library. \
|
|
|
e59b1a |
# BuildRequires: OpenSSL \
|
|
|
e59b1a |
Provides: bundled(openssl) = 1.0.2j \
|
|
|
e59b1a |
\
|
|
|
e59b1a |
%{expand:%%description -n shim-%{-a*}} \
|
|
|
e59b1a |
Initial UEFI bootloader that handles chaining to a trusted full \
|
|
|
e59b1a |
bootloader under secure boot environments. This package contains the \
|
|
|
e59b1a |
version signed by the UEFI signing service. \
|
|
|
e59b1a |
%{nil}
|
|
|
e59b1a |
|
|
|
e59b1a |
# -a <efiarch>
|
|
|
e59b1a |
# -i <input>
|
|
|
e59b1a |
%define hash(a:i:d:) \
|
|
|
e59b1a |
if [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then \
|
|
|
e59b1a |
pesign -i %{-i*} -h -P > shim.hash \
|
|
|
e59b1a |
read file0 hash0 < shim.hash \
|
|
|
e59b1a |
read file1 hash1 < %{-d*}/shim%{-a*}.hash \
|
|
|
e59b1a |
if ! [ "$hash0" = "$hash1" ] ; then \
|
|
|
e59b1a |
echo Invalid signature\! > /dev/stderr \
|
|
|
e59b1a |
echo $hash0 vs $hash1 \
|
|
|
e59b1a |
exit 1 \
|
|
|
e59b1a |
fi \
|
|
|
e59b1a |
fi \
|
|
|
e59b1a |
%{nil}
|
|
|
e59b1a |
|
|
|
e59b1a |
# -i <input>
|
|
|
e59b1a |
# -o <output>
|
|
|
e59b1a |
%define sign(i:o:n:a:c:) \
|
|
|
e59b1a |
%{expand:%%pesign -s -i %{-i*} -o %{-o*} %{-n} %{-n*} %{-a} %{-a*} %{-c} %{-c*}} \
|
|
|
e59b1a |
%{nil}
|
|
|
e59b1a |
|
|
|
e59b1a |
# -b <binary prefix>
|
|
|
e59b1a |
# -a <efiarch>
|
|
|
e59b1a |
# -i <input>
|
|
|
e59b1a |
%define distrosign(b:a:d:) \
|
|
|
e59b1a |
if [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then \
|
|
|
e59b1a |
if [ "%{-b*}%{-a*}" = "shim%{efi_arch}" ] ; then \
|
|
|
e59b1a |
cp -av "%{shimefi}" %{-b*}%{-a*}-unsigned.efi \
|
|
|
e59b1a |
elif [ "%{-b*}%{-a*}" = "shim%{efi_alt_arch}" ] ; then \
|
|
|
e59b1a |
cp -av "%{shimefialt}" %{-b*}%{-a*}-unsigned.efi \
|
|
|
e59b1a |
elif [ "%{-b*}%{-a*}" = "mm%{efi_arch}" ] ; then \
|
|
|
e59b1a |
cp -av "%{mmefi}" %{-b*}%{-a*}-unsigned.efi \
|
|
|
e59b1a |
elif [ "%{-b*}%{-a*}" = "mm%{efi_alt_arch}" ] ; then \
|
|
|
e59b1a |
cp -av "%{mmefialt}" %{-b*}%{-a*}-unsigned.efi \
|
|
|
e59b1a |
elif [ "%{-b*}%{-a*}" = "fb%{efi_arch}" ] ; then \
|
|
|
e59b1a |
cp -av "%{fbefi}" %{-b*}%{-a*}-unsigned.efi \
|
|
|
e59b1a |
elif [ "%{-b*}%{-a*}" = "fb%{efi_alt_arch}" ] ; then \
|
|
|
e59b1a |
cp -av "%{fbefialt}" %{-b*}%{-a*}-unsigned.efi \
|
|
|
e59b1a |
fi \
|
|
|
e59b1a |
else \
|
|
|
e59b1a |
cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi \
|
|
|
e59b1a |
fi \
|
|
|
e59b1a |
%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n redhatsecureboot501 -a %{SOURCE2} -c %{SOURCE1} } \
|
|
|
e59b1a |
%{nil}
|
|
|
e59b1a |
|
|
|
e59b1a |
# -a <efiarch>
|
|
|
e59b1a |
# -A <EFIARCH>
|
|
|
e59b1a |
# -b <1|0> # signed by this builder?
|
|
|
e59b1a |
# -c <1|0> # signed by UEFI CA?
|
|
|
e59b1a |
# -i <shimARCH.efi>
|
|
|
e59b1a |
# -d /usr/share dir for this build (full path)
|
|
|
e59b1a |
%define define_build(a:A:b:c:i:d:) \
|
|
|
e59b1a |
if [ "%{-c*}" = "yes-temporarily-disabled-20180723" ]; then \
|
|
|
e59b1a |
%{expand:%%hash -i %{-i*} -a %{-a*} -d %{-d*}} \
|
|
|
e59b1a |
fi \
|
|
|
e59b1a |
cp %{-i*} shim%{-a*}.efi \
|
|
|
e59b1a |
if [ "%{-b*}" = "yes" ] ; then \
|
|
|
e59b1a |
%{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}} \
|
|
|
e59b1a |
mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi \
|
|
|
e59b1a |
fi \
|
|
|
e59b1a |
if [ "%{-c*}" = "no" ] || \
|
|
|
e59b1a |
[ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then \
|
|
|
e59b1a |
cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi \
|
|
|
e59b1a |
fi \
|
|
|
e59b1a |
%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}} \
|
|
|
e59b1a |
mv mm%{-a*}-signed.efi mm%{-a*}.efi \
|
|
|
e59b1a |
%{expand:%%distrosign -b fb -a %{-a*} -d %{-d*}} \
|
|
|
e59b1a |
mv fb%{-a*}-signed.efi fb%{-a*}.efi \
|
|
|
e59b1a |
rm -vf \\\
|
|
|
e59b1a |
mm%{-a*}-unsigned.efi \\\
|
|
|
e59b1a |
fb%{-a*}-unsigned.efi \\\
|
|
|
e59b1a |
shim%{-a*}-unsigned.efi \
|
|
|
e59b1a |
%{nil}
|
|
|
e59b1a |
|
|
|
e59b1a |
# -a <efiarch>
|
|
|
e59b1a |
# -A <EFIARCH>
|
|
|
e59b1a |
# -b <BOOTCSV>
|
|
|
e59b1a |
%define do_install(a:A:b:) \
|
|
|
e59b1a |
install -m 0700 shim%{-a*}.efi \\\
|
|
|
e59b1a |
$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}.efi \
|
|
|
e59b1a |
install -m 0700 shim%{-a*}-%{efi_vendor}.efi \\\
|
|
|
e59b1a |
$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}-%{efi_vendor}.efi \
|
|
|
e59b1a |
install -m 0700 mm%{-a*}.efi \\\
|
|
|
e59b1a |
$RPM_BUILD_ROOT%{efi_esp_dir}/mm%{-a*}.efi \
|
|
|
e59b1a |
install -m 0700 %{-b*} \\\
|
|
|
e59b1a |
$RPM_BUILD_ROOT%{efi_esp_dir}/BOOT%{-A*}.CSV \
|
|
|
e59b1a |
install -m 0700 shim%{-a*}.efi \\\
|
|
|
e59b1a |
$RPM_BUILD_ROOT%{efi_esp_boot}/BOOT%{-A*}.EFI \
|
|
|
e59b1a |
install -m 0700 fb%{-a*}.efi \\\
|
|
|
e59b1a |
$RPM_BUILD_ROOT%{efi_esp_boot}/fb%{-a*}.efi \
|
|
|
e59b1a |
%nil
|
|
|
e59b1a |
|
|
|
e59b1a |
# -a <efiarch>
|
|
|
e59b1a |
# -A <EFIARCH>
|
|
|
e59b1a |
%define define_files(a:A:) \
|
|
|
e59b1a |
%{expand:%%files -n shim-%{-a*}} \
|
|
|
e59b1a |
%{efi_esp_dir}/*%{-a*}*.efi \
|
|
|
e59b1a |
%{efi_esp_dir}/BOOT%{-A*}.CSV \
|
|
|
e59b1a |
%{efi_esp_boot}/*%{-a*}.efi \
|
|
|
e59b1a |
%{efi_esp_boot}/*%{-A*}.EFI \
|
|
|
e59b1a |
%{nil}
|
|
|
e59b1a |
|
|
|
e59b1a |
%ifarch x86_64
|
|
|
e59b1a |
%global is_signed yes
|
|
|
e59b1a |
%global is_alt_signed no
|
|
|
e59b1a |
%global provide_legacy_shim 1
|
|
|
e59b1a |
%endif
|
|
|
e59b1a |
%ifarch aarch64
|
|
|
e59b1a |
%global is_signed no
|
|
|
e59b1a |
%global is_alt_signed no
|
|
|
e59b1a |
%global provide_legacy_shim 1
|
|
|
e59b1a |
%endif
|
|
|
e59b1a |
%ifnarch x86_64 aarch64
|
|
|
e59b1a |
%global is_signed no
|
|
|
e59b1a |
%global is_alt_signed no
|
|
|
e59b1a |
%global provide_legacy_shim 0
|
|
|
e59b1a |
%endif
|
|
|
e59b1a |
|
|
|
e59b1a |
%if ! 0%{?vendor:1}
|
|
|
e59b1a |
%global vendor nopenopenope
|
|
|
e59b1a |
%endif
|
|
|
e59b1a |
|
|
|
e59b1a |
# vim:filetype=rpmmacros
|