diff --git a/dbx.esl b/dbx.esl deleted file mode 100644 index 2ea555c..0000000 Binary files a/dbx.esl and /dev/null differ diff --git a/fedora-ca-20200709.cer b/fedora-ca-20200709.cer new file mode 100644 index 0000000..29b3ce3 Binary files /dev/null and b/fedora-ca-20200709.cer differ diff --git a/fedora-ca.cer b/fedora-ca.cer deleted file mode 100644 index b81707b..0000000 Binary files a/fedora-ca.cer and /dev/null differ diff --git a/rpminspect.yaml b/rpminspect.yaml new file mode 100644 index 0000000..26433b7 --- /dev/null +++ b/rpminspect.yaml @@ -0,0 +1,41 @@ +# rpminspect configuration + +--- +common: + workdir: /var/tmp/rpminspect + profiledir: /usr/share/rpminspect/profiles/fedora +koji: + hub: https://koji.fedoraproject.org/kojihub + download_ursine: https://kojipkgs.fedoraproject.org + download_mbs: https://kojipkgs.fedoraproject.org +commands: + msgunfmt: msgunfmt + desktop-file-validate: desktop-file-validate + abidiff: abidiff + kmidiff: kmidiff + annocheck: annocheck + udevadm: udevadm +vendor: + vendor_data_dir: /usr/share/rpminspect + licensedb: + - /usr/share/fedora-license-data/licenses/fedora-licenses.json + favor_release: newest +inspections: + abidiff: off + disttag: off + manpage: off + javabytecode: off +metadata: + # Required Vendor string. This is part of the RPM header and is + # the value expected in packages checked by rpminspect. + vendor: Fedora Project + + # Allowed build host subdomain. The RPM header contains information about + # where the package was built. rpminspect verifies the hostnames are in + # the expected subdomain listed below. + # + # This is an array of allowed subdomains. + buildhost_subdomain: + - .fedoraproject.org + - .bos.redhat.com + diff --git a/sbat.redhat.csv.in b/sbat.redhat.csv.in new file mode 100644 index 0000000..eb2203f --- /dev/null +++ b/sbat.redhat.csv.in @@ -0,0 +1,3 @@ +shim.rh,3,The Fedora Project,shim,@@VERSION@@,https://src.fedoraproject.org/rpms/shim-unsigned-aarch64 +shim.redhat,3,The Fedora Project,shim,@@VERSION@@,https://src.fedoraproject.org/rpms/shim-unsigned-aarch64 +shim.fedora,3,The Fedora Project,shim,@@VERSION@@-@@RELEASE@@,https://src.fedoraproject.org/rpms/shim-unsigned-aarch64 diff --git a/shim-unsigned-aarch64.spec b/shim-unsigned-aarch64.spec index c72ac24..729d387 100644 --- a/shim-unsigned-aarch64.spec +++ b/shim-unsigned-aarch64.spec @@ -1,12 +1,14 @@ %global pesign_vre 0.106-1 -%global gnuefi_vre 1:3.0.8-1 %global openssl_vre 1.0.2j +%global shim_commit_id afc49558b34548644c1cd0ad1b6526a9470182ed -%global debug_package %{nil} -%global __debug_package 1 -%global _binaries_in_noarch_packages_terminate_build 0 -%global __debug_install_post %{SOURCE100} aa64 -%undefine _debuginfo_subpackages +# For prereleases, % global prerelease rc2, and downpatch Makefile +%if %{defined prerelease} +%global dashpre -%{prerelease} +%global dotpre .%{prerelease} +%global tildepre ~%{prerelease} +%global zdpd 0%{dotpre}. +%endif %global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/')) %global shimrootdir %{_datadir}/shim/ @@ -14,33 +16,40 @@ %global efiarch aa64 %global shimdir %{shimversiondir}/%{efiarch} +%global debug_package %{nil} +%global __debug_package 1 +%global _binaries_in_noarch_packages_terminate_build 0 +%global __debug_install_post %{SOURCE100} %{efiarch} +%undefine _debuginfo_subpackages + +# currently here's what's in our dbx: nothing +%global dbxfile %{nil} + Name: shim-unsigned-aarch64 -Version: 15 -Release: 1%{?dist} +Version: 16.1 +Release: 1 Summary: First-stage UEFI bootloader ExclusiveArch: aarch64 -License: BSD +License: BSD-2-Clause AND OpenSSL URL: https://github.com/rhboot/shim -Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 -Source1: fedora-ca.cer -# currently here's what's in our dbx: -# grub2-efi-2.00-11.fc18.x86_64: -# grubx64.efi 6ac839881e73504047c06a1aac0c4763408ecb3642783c8acf77a2d393ea5cd7 -# gcdx64.efi 065cd63bab696ad2f4732af9634d66f2c0d48f8a3134b8808750d378550be151 -# grub2-efi-2.00-11.fc19.x86_64: -# grubx64.efi 49ece9a10a9403b32c8e0c892fd9afe24a974323c96f2cc3dd63608754bf9b45 -# gcdx64.efi 99fcaa957786c155a92b40be9c981c4e4685b8c62b408cb0f6cb2df9c30b9978 -# woops. -Source2: dbx.esl +Source0: https://github.com/rhboot/shim/releases/download/%{version}%{?dashpre}/shim-%{version}%{?dotpre}.tar.bz2 +Source1: fedora-ca-20200709.cer +%if 0%{?dbxfile} +Source2: %{dbxfile} +%endif +Source3: sbat.redhat.csv.in +Source4: shim.patches Source100: shim-find-debuginfo.sh +%include %{SOURCE4} + BuildRequires: gcc make BuildRequires: elfutils-libelf-devel BuildRequires: git openssl-devel openssl BuildRequires: pesign >= %{pesign_vre} -BuildRequires: gnu-efi >= %{gnuefi_vre} -BuildRequires: gnu-efi-devel >= %{gnuefi_vre} +BuildRequires: dos2unix findutils +BuildRequires: sed # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not # compatible with SysV (there's no red zone under UEFI) and there isn't a @@ -61,7 +70,6 @@ use this package or when debugging this package. %package debuginfo Summary: Debug information for shim-unsigned-aarch64 -Requires: %{name}-debugsource = %{version}-%{release} AutoReqProv: 0 BuildArch: noarch @@ -77,45 +85,55 @@ BuildArch: noarch %debug_desc %prep -%autosetup -S git -n shim-%{version} +%autosetup -S git_am -n shim-%{version} git config --unset user.email git config --unset user.name mkdir build-%{efiarch} +sed -e 's/@@VERSION@@/%{version}/g' \ + -e 's/@@RELEASE@@/%{release}/g' \ + < %{SOURCE3} > data/sbat.redhat.csv %build -COMMITID=$(cat commit) -MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " +COMMIT_ID=%{shim_commit_id} +MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " -MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " -MAKEFLAGS+="%{_smp_mflags}" +MAKEFLAGS+="ENABLE_SHIM_HASH=true " +MAKEFLAGS+=" %{_smp_mflags} " if [ -f "%{SOURCE1}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" + MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} " fi +%if 0%{?dbxfile} if [ -f "%{SOURCE2}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" + MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} " fi +%endif cd build-%{efiarch} -make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efiarch}.efi' all +make ${MAKEFLAGS} \ + DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \ + all cd .. %install -COMMITID=$(cat commit) -MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " +COMMIT_ID=%{shim_commit_id} +MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " -MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " +MAKEFLAGS+="ENABLE_SHIM_HASH=true " if [ -f "%{SOURCE1}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" + MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} " fi +%if 0%{?dbxfile} if [ -f "%{SOURCE2}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" + MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} " fi +%endif cd build-%{efiarch} make ${MAKEFLAGS} \ DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \ DESTDIR=${RPM_BUILD_ROOT} \ install-as-data install-debuginfo install-debugsource +install -m 0644 BOOT*.CSV "${RPM_BUILD_ROOT}/%{shimdir}/" cd .. %files @@ -125,12 +143,41 @@ cd .. %dir %{shimdir} %{shimdir}/*.efi %{shimdir}/*.hash +%{shimdir}/*.CSV %files debuginfo -f build-%{efiarch}/debugfiles.list %files debugsource -f build-%{efiarch}/debugsource.list %changelog +* Wed Sep 03 2025 Peter Jones - 16.1-1 +- Update to shim-16.1 + +* Fri Mar 22 2024 Nicolas Frayer +- Migrate to SPDX license +- Please refer to https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_2 + +* Thu Mar 07 2024 Peter Jones - 15.8-2 +- Update to shim-15.8 + Resolves: CVE-2023-40546 + Resolves: CVE-2023-40547 + Resolves: CVE-2023-40548 + Resolves: CVE-2023-40549 + Resolves: CVE-2023-40550 + Resolves: CVE-2023-40551 + Resolves: rhbz#2113005 + Resolves: rhbz#2189197 + Resolves: rhbz#2238884 + Resolves: rhbz#2259264 + +* Thu Jul 07 2022 Robbie Harwood - 15.6-2 +- Add pjones's aarch64 relocation fix +- Resolves: #2101248 + +* Wed Jun 15 2022 Peter Jones - 15.6-1 +- Update to shim-15.6 + Resolves: CVE-2022-28737 + * Thu Apr 05 2018 Peter Jones - 15-1 - Update to shim 15 - better checking for bad linker output diff --git a/shim.patches b/shim.patches new file mode 100644 index 0000000..e69de29 diff --git a/sources b/sources index 697992c..e96df6e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (shim-15.tar.bz2) = f7dfac774d644111431ca56da76b5575b891b0abad970b318edaede11a0d83c869728bc39cb6af3689bdb203c6826545caf8ddd3d14228831027e334963cf957 +SHA512 (shim-16.1.tar.bz2) = ca5f80e82f3b80b622028f03ef23105c98ee1b6a25f52a59c823080a3202dd4b9962266489296e99f955eb92e36ce13e0b1d57f688350006bba45f2718f159fb