diff --git a/.gitignore b/.gitignore
index 953d727..a250cf7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/shim-0.9.tar.bz2
+SOURCES/shim-12.tar.bz2
diff --git a/.shim.metadata b/.shim.metadata
index 93bda97..d93caad 100644
--- a/.shim.metadata
+++ b/.shim.metadata
@@ -1 +1 @@
-44c1b426f515b86581f163ec85c9e3bb08bc9042 SOURCES/shim-0.9.tar.bz2
+5c5a5738bd0412cb1f42ac2b9dace11c3495ed5b SOURCES/shim-12.tar.bz2
diff --git a/SOURCES/0001-Typo-on-aarch64.patch b/SOURCES/0001-Typo-on-aarch64.patch
deleted file mode 100644
index 851fe4a..0000000
--- a/SOURCES/0001-Typo-on-aarch64.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From db142ce288a63db2e8f7858ba7564158cc7a64e5 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 30 Jun 2015 14:54:43 -0400
-Subject: [PATCH] Typo on aarch64 :/
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index 46d0234..1181b8a 100644
---- a/Makefile
-+++ b/Makefile
-@@ -52,7 +52,7 @@ ifeq ($(ARCH),ia32)
- "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/ia32-$(VERSION)$(RELEASE)/\""
- endif
- ifeq ($(ARCH),aarch64)
-- CFLAGS += "-DEFI_ARCH=L\"aa64\""
-+ CFLAGS += "-DEFI_ARCH=L\"aa64\"" \
- "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/aa64-$(VERSION)$(RELEASE)/\""
- endif
-
---
-2.4.3
-
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
index 8cc3fb8..d1316b0 100644
--- a/SPECS/shim.spec
+++ b/SPECS/shim.spec
@@ -1,5 +1,5 @@
Name: shim
-Version: 0.9
+Version: 12
Release: 1%{?dist}
Summary: First-stage UEFI bootloader
@@ -8,14 +8,13 @@ URL: http://www.codon.org.uk/~mjg59/shim/
Source0: https://github.com/mjg59/shim/releases/download/%{version}/shim-%{version}.tar.bz2
Source1: securebootca.cer
# currently here's what's in our dbx: # nothing.
-#Source2: dbx.esl
-Source3: shim-find-debuginfo.sh
-
-Patch0001: 0001-Typo-on-aarch64.patch
+#Source2: dbx-x64.esl
+#Source3: dbx-aa64.esl
+Source4: shim-find-debuginfo.sh
BuildRequires: git openssl-devel openssl
BuildRequires: pesign >= 0.106-1
-BuildRequires: gnu-efi >= 1:3.0.2, gnu-efi-devel >= 1:3.0.2
+BuildRequires: gnu-efi >= 1:3.0.5-6.el7, gnu-efi-devel >= 1:3.0.5-6.el7
# for xxd
BuildRequires: vim-common
@@ -23,8 +22,7 @@ BuildRequires: vim-common
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
# compatible with SysV (there's no red zone under UEFI) and there isn't a
# POSIX-style C library.
-# BuildRequires: OpenSSL
-Provides: bundled(openssl) = 0.9.8w
+Provides: bundled(openssl) = 1.0.2j
# Shim is only required on platforms implementing the UEFI secure boot
# protocol. The only one of those we currently wish to support is 64-bit x86.
@@ -44,14 +42,16 @@ ExclusiveArch: x86_64 aarch64
%define debug_package %{nil}
%global __debug_package 1
+%global _binaries_in_noarch_packages_terminate_build 0
+
%description
Initial UEFI bootloader that handles chaining to a trusted full bootloader
under secure boot environments.
-%package -n shim-unsigned
+%package -n shim-unsigned-%{efiarch}
Summary: First-stage UEFI bootloader (unsigned data)
-%description -n shim-unsigned
+%description -n shim-unsigned-%{efiarch}
Initial UEFI bootloader that handles chaining to a trusted full bootloader
under secure boot environments.
@@ -67,12 +67,32 @@ This package provides debug information for package %{name}.
Debug information is useful when developing applications that use this
package or when debugging this package.
+%ifarch x86_64
+%package -n shim-unsigned-ia32
+Summary: First-stage UEFI bootloader (unsigned data)
+
+%description -n shim-unsigned-ia32
+Initial UEFI bootloader that handles chaining to a trusted full bootloader
+under secure boot environments.
+
+%package -n shim-unsigned-ia32-debuginfo
+Obsoletes: shim-debuginfo < 0.9
+Summary: Debug information for package %{name}
+Group: Development/Debug
+AutoReqProv: 0
+BuildArch: noarch
+
+%description -n shim-unsigned-ia32-debuginfo
+This package provides debug information for package %{name}.
+Debug information is useful when developing applications that use this
+package or when debugging this package.
+%endif
+
%prep
-%setup -n %{name}-%{version}-%{efiarch} -T -c
-cd %{_builddir}
+%setup -T -n %{name}-%{version}-%{release} -c
%{__tar} -xo -f %{SOURCE0}
mv %{name}-%{version} %{name}-%{version}-%{efiarch}
-%setup -q -D -T -n %{name}-%{version}-%{efiarch}/%{name}-%{version}
+cd %{name}-%{version}-%{efiarch}
git init
git config user.email "example@example.com"
git config user.name "rpmbuild -bp"
@@ -82,39 +102,141 @@ git am --ignore-whitespace %{patches} </dev/null
git config --unset user.email
git config --unset user.name
+%ifarch x86_64
+cd ..
+%{__tar} -xo -f %{SOURCE0}
+mv %{name}-%{version} %{name}-%{version}-ia32
+cd %{name}-%{version}-ia32
+git init
+git config user.email "example@example.com"
+git config user.name "rpmbuild -bp"
+git add .
+git commit -a -q -m "%{version} baseline."
+git am --ignore-whitespace %{patches} </dev/null
+git config --unset user.email
+git config --unset user.name
+%endif
+
%build
-MAKEFLAGS="VENDOR_CERT_FILE=%{SOURCE1}"
-# MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
-MAKEFLAGS="$MAKEFLAGS RELEASE=%{release}"
-make 'DEFAULT_LOADER=\\\\grub%{efiarch}.efi' ${MAKEFLAGS} shim.efi MokManager.efi fallback.efi
+COMMITID=$(cat %{name}-%{version}-%{efiarch}/commit)
+MAKEFLAGS="RELEASE=%{release} ENABLE_HTTPBOOT=true COMMITID=${COMMITID}"
+%ifarch aarch64
+if [ -f "%{SOURCE1}" ]; then
+ MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+fi
+if [ -f "%{SOURCE3}" ]; then
+ MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE3}"
+fi
+%else
+if [ -f "%{SOURCE1}" ]; then
+ MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+fi
+if [ -f "%{SOURCE2}" ]; then
+ MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
+fi
+%endif
+cd %{name}-%{version}-%{efiarch}
+make 'DEFAULT_LOADER=\\\\grub%{efiarch}.efi' ${MAKEFLAGS} shim%{efiarch}.efi mm%{efiarch}.efi fb%{efiarch}.efi
+
+%ifarch x86_64
+cd ../%{name}-%{version}-ia32
+setarch linux32 -B make 'DEFAULT_LOADER=\\\\grubia32.efi' ARCH=ia32 ${MAKEFLAGS} shimia32.efi mmia32.efi fbia32.efi
+cd ../%{name}-%{version}-%{efiarch}
+%endif
%install
-rm -rf $RPM_BUILD_ROOT
-pesign -h -P -i shim.efi -h > shim.hash
+cd %{name}-%{version}-%{efiarch}
+pesign -h -P -i shim%{efiarch}.efi -h > shim%{efiarch}.hash
install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/
-install -m 0644 shim.hash $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/shim.hash
-for x in shim fallback MokManager ; do
+install -m 0644 shim%{efiarch}.hash $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/shim%{efiarch}.hash
+for x in shim%{efiarch} mm%{efiarch} fb%{efiarch} ; do
install -m 0644 $x.efi $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/
install -m 0644 $x.so $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/
done
+%ifarch x86_64
+cd ../%{name}-%{version}-ia32
+pesign -h -P -i shimia32.efi -h > shimia32.hash
+install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/
+install -m 0644 shimia32.hash $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/shimia32.hash
+for x in shimia32 mmia32 fbia32 ; do
+ install -m 0644 $x.efi $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/
+ install -m 0644 $x.so $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/
+done
+cd ../%{name}-%{version}-%{efiarch}
+%endif
+
+%ifarch x86_64
%global __debug_install_post \
- bash %{SOURCE3} \\\
+ bash %{SOURCE4} \\\
+ %{?_missing_build_ids_terminate_build:--strict-build-id}\\\
+ %{?_find_debuginfo_opts} \\\
+ "%{_builddir}/%{?buildsubdir}/%{name}-%{version}-%{efiarch}" \
+ rm -f $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.so \
+ mv debugfiles.list ../debugfiles-%{efiarch}.list \
+ cd .. \
+ cd %{name}-%{version}-ia32 \
+ bash %{SOURCE4} \\\
%{?_missing_build_ids_terminate_build:--strict-build-id}\\\
- %{?_find_debuginfo_opts} "%{_builddir}/%{?buildsubdir}" \
- rm -f $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.so \
+ %{?_find_debuginfo_opts} \\\
+ "%{_builddir}/%{?buildsubdir}/%{name}-%{version}-ia32" \
+ rm -f $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/*.so \
+ mv debugfiles.list ../debugfiles-ia32.list \
+ cd .. \
%{nil}
+%else
+%global __debug_install_post \
+ bash %{SOURCE4} \\\
+ %{?_missing_build_ids_terminate_build:--strict-build-id}\\\
+ %{?_find_debuginfo_opts} \\\
+ "%{_builddir}/%{?buildsubdir}/%{name}-%{version}-%{efiarch}" \
+ rm -f $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.so \
+ mv debugfiles.list ../debugfiles-%{efiarch}.list \
+ cd .. \
+ %{nil}
+%endif
-%files -n shim-unsigned
+%files -n shim-unsigned-%{efiarch}
%dir %{_datadir}/shim
%dir %{_datadir}/shim/%{efiarch}-%{version}-%{release}/
%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.efi
%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.hash
-%files -n shim-unsigned-%{efiarch}-debuginfo -f debugfiles.list
+%files -n shim-unsigned-%{efiarch}-debuginfo -f debugfiles-%{efiarch}.list
%defattr(-,root,root)
+%ifarch x86_64
+%files -n shim-unsigned-ia32
+%dir %{_datadir}/shim
+%dir %{_datadir}/shim/ia32-%{version}-%{release}/
+%{_datadir}/shim/ia32-%{version}-%{release}/*.efi
+%{_datadir}/shim/ia32-%{version}-%{release}/*.hash
+
+%files -n shim-unsigned-ia32-debuginfo -f debugfiles-ia32.list
+%defattr(-,root,root)
+%endif
+
%changelog
+* Thu Apr 27 2017 Peter Jones <pjones@redhat.com> - 12-1
+- Update to 12-1 to work around a signtool.exe bug
+ Related: rhbz#1445393
+
+* Mon Apr 03 2017 Peter Jones <pjones@redhat.com> - 11-1
+- Update to 11-1
+ Related: rhbz#1310766
+- Fix regression in PE loader
+ Related: rhbz#1310766
+- Fix case where BDS invokes us wrong and we exec shim again as a result
+ Related: rhbz#1310766
+
+* Tue Mar 21 2017 Peter Jones <pjones@redhat.com> - 10-1
+- Update to 10-1
+- Support ia32
+ Resolves: rhbz#1310766
+- Handle various different load option implementation differences
+- TPM 1 and TPM 2 support.
+- Update to OpenSSL 1.0.2k
+
* Mon Jun 22 2015 Peter Jones <pjones@redhat.com> - 0.9-1
- Update to 0.9-1
- Fix early call to BS->Exit()