diff --git a/.gitignore b/.gitignore index 2f727bd..b908d57 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,8 @@ +*~ *.tar.* -clog *.rpm +.build*.log +.*.sw? +clog +rhtest.cer shim-*/ diff --git a/0001-CI-don-t-use-make-s-it-s-more-trouble-than-help.patch b/0001-CI-don-t-use-make-s-it-s-more-trouble-than-help.patch new file mode 100644 index 0000000..8a1d4ae --- /dev/null +++ b/0001-CI-don-t-use-make-s-it-s-more-trouble-than-help.patch @@ -0,0 +1,65 @@ +From ab40c869a2765262d9a911fe6284a606fd1fe0d6 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Wed, 24 Mar 2021 16:02:18 -0400 +Subject: [PATCH 1/2] CI: don't use 'make -s'; it's more trouble than help. + +This hides more subtle failures way too well; nerf it out. + +Signed-off-by: Peter Jones +--- + .github/workflows/pullrequest.yml | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/.github/workflows/pullrequest.yml b/.github/workflows/pullrequest.yml +index 41ca282c887..6df69833346 100644 +--- a/.github/workflows/pullrequest.yml ++++ b/.github/workflows/pullrequest.yml +@@ -110,14 +110,18 @@ jobs: + id: update-submodules + run: | + make update ++ - name: Do 'make clean' on ${{ matrix.distro }} for ${{ matrix.efiarch }} ++ id: clean ++ run: | ++ make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean + - name: Do the build on ${{ matrix.distro }} for ${{ matrix.efiarch }} + id: build + run: | +- make -s CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean all || make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean all ++ make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true all + - name: Install on ${{ matrix.distro }} for ${{ matrix.efiarch }} + id: install + run: | +- make -s CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install || make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install ++ make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install + echo 'results:' + find /destdir -type f + +@@ -190,17 +194,21 @@ jobs: + id: update-submodules + run: | + make update ++ - name: Do 'make clean' on ${{ matrix.distro }} for ${{ matrix.efiarch }} ++ id: clean ++ run: | ++ make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean + - name: Run tests on ${{ matrix.distro }} for ${{ matrix.efiarch }} + id: test + run: | +- make -s ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true test || make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true test ++ make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true test + - name: Do the build on ${{ matrix.distro }} for ${{ matrix.efiarch }} + id: build + run: | +- make -s ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean all || make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean all ++ make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true all + - name: Install on ${{ matrix.distro }} for ${{ matrix.efiarch }} + id: install + run: | +- make -s ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install || make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install ++ make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install + echo 'results:' + find /destdir -type f +-- +2.30.2 + diff --git a/0002-Make-building-outside-of-the-top-directory-work.patch b/0002-Make-building-outside-of-the-top-directory-work.patch new file mode 100644 index 0000000..8940613 --- /dev/null +++ b/0002-Make-building-outside-of-the-top-directory-work.patch @@ -0,0 +1,177 @@ +From fbd1a9b47c04ca0b917482dbb84625d4732054b3 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Wed, 24 Mar 2021 17:51:48 -0400 +Subject: [PATCH 2/2] Make building outside of the top directory work. + +This also makes the cross-build targets (and not the others) /use/ this +functionality, so we'll catch it if we break it again. + +This fixes issue #340. + +Signed-off-by: Peter Jones +--- + .github/workflows/pullrequest.yml | 16 ++++++++---- + Make.defaults | 1 + + Makefile | 43 ++++++++++++++++++++----------- + lib/Makefile | 2 +- + 5 files changed, 42 insertions(+), 22 deletions(-) + +diff --git a/.github/workflows/pullrequest.yml b/.github/workflows/pullrequest.yml +index 6df69833346..5329496c6a8 100644 +--- a/.github/workflows/pullrequest.yml ++++ b/.github/workflows/pullrequest.yml +@@ -110,18 +110,24 @@ jobs: + id: update-submodules + run: | + make update +- - name: Do 'make clean' on ${{ matrix.distro }} for ${{ matrix.efiarch }} +- id: clean ++ - name: Make a build directory for ${{ matrix.distro }} for ${{ matrix.efiarch }} ++ id: builddir + run: | +- make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean ++ rm -rf build-${{ matrix.distro }}-${{ matrix.efiarch }} ++ mkdir build-${{ matrix.distro }}-${{ matrix.efiarch }} ++ cd build-${{ matrix.distro }}-${{ matrix.efiarch }} + - name: Do the build on ${{ matrix.distro }} for ${{ matrix.efiarch }} + id: build + run: | +- make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true all ++ pwd ++ cd build-${{ matrix.distro }}-${{ matrix.efiarch }} ++ make TOPDIR=.. -f ../Makefile CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true all + - name: Install on ${{ matrix.distro }} for ${{ matrix.efiarch }} + id: install + run: | +- make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install ++ pwd ++ cd build-${{ matrix.distro }}-${{ matrix.efiarch }} ++ make TOPDIR=.. -f ../Makefile CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install + echo 'results:' + find /destdir -type f + +diff --git a/Make.defaults b/Make.defaults +index b7721547dee..a775083ee0b 100644 +--- a/Make.defaults ++++ b/Make.defaults +@@ -1,6 +1,7 @@ + + # load the local configuration if it exists + -include Make.local ++-include $(TOPDIR)/Make.local + + COMPILER ?= gcc + CC = $(CROSS_COMPILE)$(COMPILER) +diff --git a/Makefile b/Makefile +index e349c6f9d49..b2f33b17289 100644 +--- a/Makefile ++++ b/Makefile +@@ -45,7 +45,7 @@ MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o + ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h) + FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat_data.o + ORIG_FALLBACK_SRCS = fallback.c +-SBATPATH = data/sbat.csv ++SBATPATH = $(TOPDIR)/data/sbat.csv + + ifeq ($(SOURCE_DATE_EPOCH),) + UNAME=$(shell uname -s -m -p -i -o) +@@ -146,21 +146,23 @@ $(MMSONAME): $(MOK_OBJS) $(LIBS) + + gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a: CFLAGS+=-DGNU_EFI_USE_EXTERNAL_STDARG + gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a: ++ mkdir -p gnu-efi/lib gnu-efi/gnuefi + $(MAKE) -C gnu-efi \ + ARCH=$(ARCH_GNUEFI) TOPDIR=$(TOPDIR)/gnu-efi \ ++ -f $(TOPDIR)/gnu-efi/Makefile \ + lib gnuefi inc + + Cryptlib/libcryptlib.a: + for i in Hash Hmac Cipher Rand Pk Pem SysCall; do mkdir -p Cryptlib/$$i; done +- $(MAKE) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile ++ $(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile + + Cryptlib/OpenSSL/libopenssl.a: + for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async/arch asn1 aes; do mkdir -p Cryptlib/OpenSSL/crypto/$$i; done +- $(MAKE) VPATH=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile ++ $(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile + + lib/lib.a: | $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch]) +- if [ ! -d lib ]; then mkdir lib ; fi +- $(MAKE) VPATH=$(TOPDIR)/lib -C lib -f $(TOPDIR)/lib/Makefile lib.a ++ mkdir -p lib ++ $(MAKE) VPATH=$(TOPDIR)/lib TOPDIR=$(TOPDIR) -C lib -f $(TOPDIR)/lib/Makefile + + buildid : $(TOPDIR)/buildid.c + $(HOSTCC) -I/usr/include -Og -g3 -Wall -Werror -Wextra -o $@ $< -lelf +@@ -275,35 +277,46 @@ else + endif + + test : +- @make -f include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" all ++ @make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" all + + $(patsubst %.c,%,$(wildcard test-*.c)) : +- @make -f include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" $@ ++ @make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" $@ + + .PHONY : $(patsubst %.c,%,$(wildcard test-*.c)) test + + clean-test-objs: +- @make -f include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" clean ++ @make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" clean + + clean-gnu-efi: +- $(MAKE) -C gnu-efi \ +- ARCH=$(ARCH_GNUEFI) TOPDIR=$(TOPDIR)/gnu-efi \ +- clean ++ @if [ -d gnu-efi ] ; then \ ++ $(MAKE) -C gnu-efi \ ++ ARCH=$(ARCH_GNUEFI) TOPDIR=$(TOPDIR)/gnu-efi \ ++ -f $(TOPDIR)/gnu-efi/Makefile \ ++ clean ; \ ++ fi ++ ++clean-lib-objs: ++ @if [ -d lib ] ; then \ ++ $(MAKE) -C lib TOPDIR=$(TOPDIR) -f $(TOPDIR)/lib/Makefile clean ; \ ++ fi + + clean-shim-objs: +- $(MAKE) -C lib -f $(TOPDIR)/lib/Makefile clean + @rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME) + @rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid + @rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa] + @if [ -d .git ] ; then git clean -f -d -e 'Cryptlib/OpenSSL/*'; fi + + clean-openssl-objs: +- $(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean ++ @if [ -d Cryptlib/Openssl ] ; then \ ++ $(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean ; \ ++ fi + + clean-cryptlib-objs: +- $(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean ++ @if [ -d Cryptlib ] ; then \ ++ $(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean ; \ ++ fi + +-clean: clean-shim-objs clean-test-objs clean-gnu-efi clean-openssl-objs clean-cryptlib-objs ++clean: clean-shim-objs clean-test-objs clean-gnu-efi clean-openssl-objs clean-cryptlib-objs clean-lib-objs + + GITTAG = $(VERSION) + +diff --git a/lib/Makefile b/lib/Makefile +index 6d83f789a91..de59476270e 100644 +--- a/lib/Makefile ++++ b/lib/Makefile +@@ -1,6 +1,6 @@ + TARGET = lib.a + +-LIBFILES_UNSORTED := $(foreach x,$(wildcard *.c),$(patsubst %.c,%.o,$(x))) ++LIBFILES_UNSORTED := $(patsubst %.c,%.o,$(subst $(TOPDIR)/lib/,,$(wildcard $(TOPDIR)/lib/*.c))) + LIBFILES := $(sort $(LIBFILES_UNSORTED)) + + CRYPTDIR = $(TOPDIR)/Cryptlib +-- +2.30.2 + diff --git a/0003-Make-building-outside-of-this-directory-work.patch b/0003-Make-building-outside-of-this-directory-work.patch new file mode 100644 index 0000000..bc8e2ee --- /dev/null +++ b/0003-Make-building-outside-of-this-directory-work.patch @@ -0,0 +1,26 @@ +From 65ecce23f005c4d611f48996112d4592164594cf Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Wed, 24 Mar 2021 17:50:17 -0400 +Subject: [PATCH] Make building outside of this directory work. + +Signed-off-by: Peter Jones +--- + gnu-efi/Make.defaults | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gnu-efi/Make.defaults b/gnu-efi/Make.defaults +index 362bd1f8238..fd1d123d851 100755 +--- a/gnu-efi/Make.defaults ++++ b/gnu-efi/Make.defaults +@@ -92,7 +92,7 @@ endif + # + # Where to build the package + # +-OBJDIR := $(TOPDIR)/$(ARCH) ++OBJDIR := $(abspath .)/$(ARCH) + + # + # Variables below derived from variables above +-- +2.30.2 + diff --git a/README.md b/README.md new file mode 100644 index 0000000..6a035ab --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# shim-unsigned-x64 + +The shim-unsigned-x64 package diff --git a/fedora-ca.cer b/fedora-ca-20200709.cer similarity index 100% rename from fedora-ca.cer rename to fedora-ca-20200709.cer diff --git a/rhtest.cer b/rhtest.cer deleted file mode 100644 index 7c21c7a..0000000 Binary files a/rhtest.cer and /dev/null differ diff --git a/sbat.redhat.csv b/sbat.redhat.csv new file mode 100644 index 0000000..04497b3 --- /dev/null +++ b/sbat.redhat.csv @@ -0,0 +1 @@ +shim.redhat,1,The Fedora Project,shim,15.3,https://src.fedoraproject.org/rpms/shim-unsigned-x64 diff --git a/shim-find-debuginfo.sh b/shim-find-debuginfo.sh index 7e882ff..d656fc9 100755 --- a/shim-find-debuginfo.sh +++ b/shim-find-debuginfo.sh @@ -20,9 +20,9 @@ fi findsource() { ( - cd ${RPM_BUILD_ROOT} - find usr/src/debug/ -type d | sed "s,^,%dir /," - find usr/src/debug/ -type f | sed "s,^,/," + cd "${RPM_BUILD_ROOT}" + find usr/src/debug/ -type d | sed -e "s,^,%dir /," | sort -u | tac + find usr/src/debug/ -type f | sed -e "s,^,/," | sort -u | tac ) } @@ -32,9 +32,12 @@ finddebug() declare -a dirs=() declare -a files=() declare -a excludes=() + declare -a tmp=() - pushd ${RPM_BUILD_ROOT} >/dev/null 2>&1 - for x in $(find usr/lib/debug/ -type f -iname *.efi.debug); do + pushd "${RPM_BUILD_ROOT}" >/dev/null 2>&1 + + mapfile -t tmp < <(find usr/lib/debug/ -type f -iname "*.efi.debug") + for x in "${tmp[@]}" ; do if ! [ -e "${x}" ]; then break fi @@ -57,8 +60,10 @@ finddebug() excludes[${#excludes[@]}]=${x%%.debug} fi done - for x in ${files[@]} ; do - declare name=$(dirname /${x}) + for x in "${files[@]}" ; do + declare name + + name=$(dirname "/${x}") while [ "${name}" != "/" ]; do case "${name}" in "/usr/lib/debug"|"/usr/lib"|"/usr") @@ -67,24 +72,24 @@ finddebug() dirs[${#dirs[@]}]=${name} ;; esac - name=$(dirname ${name}) + name=$(dirname "${name}") done done popd >/dev/null 2>&1 - for x in ${dirs[@]} ; do + for x in "${dirs[@]}" ; do echo "%dir ${x}" done | sort | uniq - for x in ${files[@]} ; do + for x in "${files[@]}" ; do echo "/${x}" done | sort | uniq - for x in ${excludes[@]} ; do + for x in "${excludes[@]}" ; do echo "%exclude /${x}" done } -findsource > build-${mainarch}/debugsource.list -finddebug ${mainarch} > build-${mainarch}/debugfiles.list +findsource > "build-${mainarch}/debugsource.list" +finddebug "${mainarch}" > "build-${mainarch}/debugfiles.list" if [ -v altarch ]; then - finddebug ${altarch} > build-${altarch}/debugfiles.list + finddebug "${altarch}" > "build-${altarch}/debugfiles.list" fi diff --git a/shim-unsigned-aarch64.spec b/shim-unsigned-aarch64.spec index c72ac24..d5a3014 100644 --- a/shim-unsigned-aarch64.spec +++ b/shim-unsigned-aarch64.spec @@ -1,46 +1,49 @@ %global pesign_vre 0.106-1 -%global gnuefi_vre 1:3.0.8-1 %global openssl_vre 1.0.2j -%global debug_package %{nil} -%global __debug_package 1 -%global _binaries_in_noarch_packages_terminate_build 0 -%global __debug_install_post %{SOURCE100} aa64 -%undefine _debuginfo_subpackages - %global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/')) %global shimrootdir %{_datadir}/shim/ %global shimversiondir %{shimrootdir}/%{version}-%{release} %global efiarch aa64 %global shimdir %{shimversiondir}/%{efiarch} +%global efialtarch arm +%global shimaltdir %{shimversiondir}/%{efialtarch} + +%global debug_package %{nil} +%global __debug_package 1 +%global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch} +%global _binaries_in_noarch_packages_terminate_build 0 +%undefine _debuginfo_subpackages + +# currently here's what's in our dbx: nothing +%global dbxfile %{nil} Name: shim-unsigned-aarch64 -Version: 15 +Version: 15.3 Release: 1%{?dist} Summary: First-stage UEFI bootloader ExclusiveArch: aarch64 License: BSD URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 -Source1: fedora-ca.cer -# currently here's what's in our dbx: -# grub2-efi-2.00-11.fc18.x86_64: -# grubx64.efi 6ac839881e73504047c06a1aac0c4763408ecb3642783c8acf77a2d393ea5cd7 -# gcdx64.efi 065cd63bab696ad2f4732af9634d66f2c0d48f8a3134b8808750d378550be151 -# grub2-efi-2.00-11.fc19.x86_64: -# grubx64.efi 49ece9a10a9403b32c8e0c892fd9afe24a974323c96f2cc3dd63608754bf9b45 -# gcdx64.efi 99fcaa957786c155a92b40be9c981c4e4685b8c62b408cb0f6cb2df9c30b9978 -# woops. -Source2: dbx.esl +Source1: fedora-ca-20200709.cer +%if 0%{?dbxfile} +Source2: %{dbxfile} +%endif +Source3: sbat.redhat.csv Source100: shim-find-debuginfo.sh +Patch0001: 0001-CI-don-t-use-make-s-it-s-more-trouble-than-help.patch +Patch0002: 0002-Make-building-outside-of-the-top-directory-work.patch +Patch0003: 0003-Make-building-outside-of-this-directory-work.patch + BuildRequires: gcc make BuildRequires: elfutils-libelf-devel BuildRequires: git openssl-devel openssl BuildRequires: pesign >= %{pesign_vre} -BuildRequires: gnu-efi >= %{gnuefi_vre} -BuildRequires: gnu-efi-devel >= %{gnuefi_vre} +BuildRequires: dos2unix findutils +BuildRequires: binutils-arm-linux-gnu gcc-arm-linux-gnu # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not # compatible with SysV (there's no red zone under UEFI) and there isn't a @@ -59,15 +62,29 @@ use this package or when debugging this package. %description %desc +%package -n shim-unsigned-%{efialtarch} +Summary: First-stage UEFI bootloader (unsigned data) +Provides: bundled(openssl) = %{openssl_vre} + +%description -n shim-unsigned-%{efialtarch} +%desc + %package debuginfo -Summary: Debug information for shim-unsigned-aarch64 -Requires: %{name}-debugsource = %{version}-%{release} +Summary: Debug information for shim-unsigned-%{efiarch} AutoReqProv: 0 BuildArch: noarch %description debuginfo %debug_desc +%package -n shim-unsigned-%{efialtarch}-debuginfo +Summary: Debug information for shim-unsigned-%{efialtarch} +AutoReqProv: 0 +BuildArch: noarch + +%description -n shim-unsigned-%{efialtarch}-debuginfo +%debug_desc + %package debugsource Summary: Debug Source for shim-unsigned AutoReqProv: 0 @@ -81,41 +98,66 @@ BuildArch: noarch git config --unset user.email git config --unset user.name mkdir build-%{efiarch} +mkdir build-%{efialtarch} +cp %{SOURCE3} data/ %build COMMITID=$(cat commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " -MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " +MAKEFLAGS+="ENABLE_SHIM_HASH=true " MAKEFLAGS+="%{_smp_mflags}" if [ -f "%{SOURCE1}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" fi +%if 0%{?dbxfile} if [ -f "%{SOURCE2}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" fi +%endif cd build-%{efiarch} -make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efiarch}.efi' all +make ${MAKEFLAGS} \ + DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \ + all +cd .. + +cd build-%{efialtarch} +make ${MAKEFLAGS} \ + ARCH=%{efialtarch} CROSS_COMPILE=arm-linux-gnu- \ + DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \ + all cd .. %install COMMITID=$(cat commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " -MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " +MAKEFLAGS+="ENABLE_SHIM_HASH=true " if [ -f "%{SOURCE1}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" fi +%if 0%{?dbxfile} if [ -f "%{SOURCE2}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" fi +%endif cd build-%{efiarch} make ${MAKEFLAGS} \ DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \ DESTDIR=${RPM_BUILD_ROOT} \ install-as-data install-debuginfo install-debugsource +install -m 0644 BOOT*.CSV "${RPM_BUILD_ROOT}/%{shimdir}/" +cd .. + +cd build-%{efialtarch} +make ${MAKEFLAGS} \ + ARCH=%{efialtarch} CROSS_COMPILE=arm-linux-gnu- \ + DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \ + DESTDIR=${RPM_BUILD_ROOT} \ + install-as-data install-debuginfo install-debugsource +install -m 0644 BOOT*.CSV "${RPM_BUILD_ROOT}/%{shimaltdir}/" cd .. %files @@ -125,12 +167,42 @@ cd .. %dir %{shimdir} %{shimdir}/*.efi %{shimdir}/*.hash +%{shimdir}/*.CSV + +%files -n shim-unsigned-%{efialtarch} +%license COPYRIGHT +%dir %{shimrootdir} +%dir %{shimversiondir} +%dir %{shimaltdir} +%{shimaltdir}/*.efi +%{shimaltdir}/*.hash +%{shimaltdir}/*.CSV %files debuginfo -f build-%{efiarch}/debugfiles.list +%files -n shim-unsigned-%{efialtarch}-debuginfo -f build-%{efialtarch}/debugfiles.list + %files debugsource -f build-%{efiarch}/debugsource.list %changelog +* Wed Mar 24 2021 Peter Jones - 15.3-1 +- Update to shim 15.3 + - Support for revocations via the ".sbat" section and SBAT EFI variable + - A new unit test framework and a bunch of unit tests + - No external gnu-efi dependency + - Better CI + Resolves: CVE-2020-14372 + Resolves: CVE-2020-25632 + Resolves: CVE-2020-25647 + Resolves: CVE-2020-27749 + Resolves: CVE-2020-27779 + Resolves: CVE-2021-20225 + Resolves: CVE-2021-20233 + +* Tue Jan 21 2020 Peter Jones - 15-2 +- Fix a minor rebuild issue; note that this means it won't match the + result that's in shim-15-8. + * Thu Apr 05 2018 Peter Jones - 15-1 - Update to shim 15 - better checking for bad linker output diff --git a/sources b/sources index 697992c..9a5001e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (shim-15.tar.bz2) = f7dfac774d644111431ca56da76b5575b891b0abad970b318edaede11a0d83c869728bc39cb6af3689bdb203c6826545caf8ddd3d14228831027e334963cf957 +SHA512 (shim-15.3.tar.bz2) = 48de811917b5b60311788467786a7259b5efe8e61ff9af01d37d3138c98309310562c91c6e83ed11924c20774bfee5184b44b901c51e15be4167b97281655e65