Fix a minor rebuild issue; note that this means it won't match the result that's in shim-15-8.

Signed-off-by: Peter Jones <pjones@redhat.com>
add BuildRequires: gcc
2020-01-21 16:09:39 -05:00 · 2020-01-21 15:44:37 -05:00
11 changed files with 93 additions and 126 deletions
--- a/0001-CFLAGS-add-Wno-error-address-of-packed-member.patch
+++ b/0001-CFLAGS-add-Wno-error-address-of-packed-member.patch
@ -0,0 +1,25 @@
+From 79f8e33de536909810578371dbc8a3043517b216 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 21 Jan 2020 14:37:59 -0500
+Subject: [PATCH] CFLAGS: add -Wno-error=address-of-packed-member
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ Make.defaults | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Make.defaults b/Make.defaults
+index e11ab5a7f2c..065b17445b5 100644
+--- a/Make.defaults
+++ b/Make.defaults
+@@ -41,6 +41,7 @@ EFI_LDS		= $(TOPDIR)/elf_$(ARCH)_efi.lds
+ 
+ CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
+ 		  -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
+		  -Wno-error=address-of-packed-member -Wno-error=pointer-sign \
+ 		  -Werror=sign-compare -ffreestanding -std=gnu89 \
+ 		  -I$(shell $(CC) -print-file-name=include) \
+ 		  "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
+-- 
+2.24.1
+
--- a/0002-Fix-a-typo.patch
+++ b/0002-Fix-a-typo.patch
@ -0,0 +1,26 @@
+From 67756daa55f48f1166b3526dca1309e32c99ad89 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 12 Nov 2019 14:34:51 -0500
+Subject: [PATCH] Fix a typo
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ lib/console.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/console.c b/lib/console.c
+index 3fee403e2a8..39f29faadc4 100644
+--- a/lib/console.c
+++ b/lib/console.c
+@@ -360,7 +360,7 @@ static struct {
+ 	{  EFI_SECURITY_VIOLATION,     L"Security Violation"},
+ 
+ 	// warnings
+-	{  EFI_WARN_UNKOWN_GLYPH,      L"Warning Unknown Glyph"},
+	{  EFI_WARN_UNKNOWN_GLYPH,     L"Warning Unknown Glyph"},
+ 	{  EFI_WARN_DELETE_FAILURE,    L"Warning Delete Failure"},
+ 	{  EFI_WARN_WRITE_FAILURE,     L"Warning Write Failure"},
+ 	{  EFI_WARN_BUFFER_TOO_SMALL,  L"Warning Buffer Too Small"},
+-- 
+2.23.0
+
--- a/dbx.esl
+++ b/dbx.esl
--- a/fedora-ca-20200709.cer
+++ b/fedora-ca-20200709.cer
--- a/fedora-ca.cer
+++ b/fedora-ca.cer
--- a/0
+++ b/0
--- a/rpminspect.yaml
+++ b/rpminspect.yaml
@ -1,41 +0,0 @@
-# rpminspect configuration
-
---
-common:
-    workdir: /var/tmp/rpminspect
-    profiledir: /usr/share/rpminspect/profiles/fedora
-koji:
-    hub: https://koji.fedoraproject.org/kojihub
-    download_ursine: https://kojipkgs.fedoraproject.org
-    download_mbs: https://kojipkgs.fedoraproject.org
-commands:
-    msgunfmt: msgunfmt
-    desktop-file-validate: desktop-file-validate
-    abidiff: abidiff
-    kmidiff: kmidiff
-    annocheck: annocheck
-    udevadm: udevadm
-vendor:
-    vendor_data_dir: /usr/share/rpminspect
-    licensedb:
-        - /usr/share/fedora-license-data/licenses/fedora-licenses.json
-    favor_release: newest
-inspections:
-    abidiff: off
-    disttag: off
-    manpage: off
-    javabytecode: off
-metadata:
-    # Required Vendor string.  This is part of the RPM header and is
-    # the value expected in packages checked by rpminspect.
-    vendor: Fedora Project
-
-    # Allowed build host subdomain.  The RPM header contains information about
-    # where the package was built.  rpminspect verifies the hostnames are in
-    # the expected subdomain listed below.
-    #
-    # This is an array of allowed subdomains.
-    buildhost_subdomain:
-        - .fedoraproject.org
-        - .bos.redhat.com
-
--- a/sbat.redhat.csv.in
+++ b/sbat.redhat.csv.in
@ -1,3 +0,0 @@
-shim.rh,3,The Fedora Project,shim,@@VERSION@@,https://src.fedoraproject.org/rpms/shim-unsigned-aarch64
-shim.redhat,3,The Fedora Project,shim,@@VERSION@@,https://src.fedoraproject.org/rpms/shim-unsigned-aarch64
-shim.fedora,3,The Fedora Project,shim,@@VERSION@@-@@RELEASE@@,https://src.fedoraproject.org/rpms/shim-unsigned-aarch64
--- a/shim-unsigned-aarch64.spec
+++ b/shim-unsigned-aarch64.spec
@ -1,14 +1,12 @@
 %global pesign_vre 0.106-1
+%global gnuefi_vre 1:3.0.8-1
 %global openssl_vre 1.0.2j
-%global shim_commit_id afc49558b34548644c1cd0ad1b6526a9470182ed

-# For prereleases, % global prerelease rc2, and downpatch Makefile
-%if %{defined prerelease}
-%global dashpre -%{prerelease}
-%global dotpre .%{prerelease}
-%global tildepre ~%{prerelease}
-%global zdpd 0%{dotpre}.
-%endif
+%global debug_package %{nil}
+%global __debug_package 1
+%global _binaries_in_noarch_packages_terminate_build 0
+%global __debug_install_post %{SOURCE100} aa64
+%undefine _debuginfo_subpackages

 %global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
 %global shimrootdir %{_datadir}/shim/
@ -16,40 +14,36 @@
 %global efiarch aa64
 %global shimdir %{shimversiondir}/%{efiarch}

-%global debug_package %{nil}
-%global __debug_package 1
-%global _binaries_in_noarch_packages_terminate_build 0
-%global __debug_install_post %{SOURCE100} %{efiarch}
-%undefine _debuginfo_subpackages
-
-# currently here's what's in our dbx: nothing
-%global dbxfile %{nil}
-
 Name:		shim-unsigned-aarch64
-Version:	16.1
-Release:	1
+Version:	15
+Release:	2%{?dist}
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	aarch64
-License:	BSD-2-Clause AND OpenSSL
+License:	BSD
 URL:		https://github.com/rhboot/shim
-Source0:	https://github.com/rhboot/shim/releases/download/%{version}%{?dashpre}/shim-%{version}%{?dotpre}.tar.bz2
-Source1:	fedora-ca-20200709.cer
-%if 0%{?dbxfile}
-Source2:	%{dbxfile}
-%endif
-Source3:	sbat.redhat.csv.in
-Source4:	shim.patches
+Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
+Source1:	fedora-ca.cer
+# currently here's what's in our dbx:
+# grub2-efi-2.00-11.fc18.x86_64:
+# grubx64.efi 6ac839881e73504047c06a1aac0c4763408ecb3642783c8acf77a2d393ea5cd7
+# gcdx64.efi 065cd63bab696ad2f4732af9634d66f2c0d48f8a3134b8808750d378550be151
+# grub2-efi-2.00-11.fc19.x86_64:
+# grubx64.efi 49ece9a10a9403b32c8e0c892fd9afe24a974323c96f2cc3dd63608754bf9b45
+# gcdx64.efi 99fcaa957786c155a92b40be9c981c4e4685b8c62b408cb0f6cb2df9c30b9978
+# woops.
+Source2:	dbx.esl

 Source100:	shim-find-debuginfo.sh

-%include %{SOURCE4}
+Patch0001:	0001-CFLAGS-add-Wno-error-address-of-packed-member.patch
+Patch0002:	0002-Fix-a-typo.patch

-BuildRequires:	gcc make
+BuildRequires:  gcc
 BuildRequires:	elfutils-libelf-devel
 BuildRequires:	git openssl-devel openssl
 BuildRequires:	pesign >= %{pesign_vre}
-BuildRequires:	dos2unix findutils
-BuildRequires:	sed
+BuildRequires:	gnu-efi >= %{gnuefi_vre}
+BuildRequires:	gnu-efi-devel >= %{gnuefi_vre}

 # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
 # compatible with SysV (there's no red zone under UEFI) and there isn't a
@ -70,6 +64,7 @@ use this package or when debugging this package.

 %package debuginfo
 Summary:	Debug information for shim-unsigned-aarch64
+Requires:	%{name}-debugsource = %{version}-%{release}
 AutoReqProv:	0
 BuildArch:	noarch

@ -89,51 +84,41 @@ BuildArch:	noarch
 git config --unset user.email
 git config --unset user.name
 mkdir build-%{efiarch}
-sed -e 's/@@VERSION@@/%{version}/g' \
-    -e 's/@@RELEASE@@/%{release}/g' \
-    < %{SOURCE3} > data/sbat.redhat.csv

 %build
-COMMIT_ID=%{shim_commit_id}
-MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
+COMMITID=$(cat commit)
+MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
-MAKEFLAGS+="ENABLE_SHIM_HASH=true "
-MAKEFLAGS+=" %{_smp_mflags} "
+MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
+MAKEFLAGS+="%{_smp_mflags}"
 if [ -f "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
 fi
-%if 0%{?dbxfile}
 if [ -f "%{SOURCE2}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
-%endif

 cd build-%{efiarch}
-make ${MAKEFLAGS} \
-	DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \
-	all
+make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efiarch}.efi' all
 cd ..

 %install
-COMMIT_ID=%{shim_commit_id}
-MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
+COMMITID=$(cat commit)
+MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
-MAKEFLAGS+="ENABLE_SHIM_HASH=true "
+MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
 if [ -f "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
 fi
-%if 0%{?dbxfile}
 if [ -f "%{SOURCE2}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
-%endif

 cd build-%{efiarch}
 make ${MAKEFLAGS} \
 	DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \
 	DESTDIR=${RPM_BUILD_ROOT} \
 	install-as-data install-debuginfo install-debugsource
-install -m 0644 BOOT*.CSV "${RPM_BUILD_ROOT}/%{shimdir}/"
 cd ..

 %files
@ -143,40 +128,15 @@ cd ..
 %dir %{shimdir}
 %{shimdir}/*.efi
 %{shimdir}/*.hash
-%{shimdir}/*.CSV

 %files debuginfo -f build-%{efiarch}/debugfiles.list

 %files debugsource -f build-%{efiarch}/debugsource.list

 %changelog
-* Wed Sep 03 2025 Peter Jones <pjones@redhat.com> - 16.1-1
- Update to shim-16.1
-
-* Fri Mar 22 2024 Nicolas Frayer <nfrayer@redhat.com>
- Migrate to SPDX license
- Please refer to https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_2
-
-* Thu Mar 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2
- Update to shim-15.8
-  Resolves: CVE-2023-40546
-  Resolves: CVE-2023-40547
-  Resolves: CVE-2023-40548
-  Resolves: CVE-2023-40549
-  Resolves: CVE-2023-40550
-  Resolves: CVE-2023-40551
-  Resolves: rhbz#2113005
-  Resolves: rhbz#2189197
-  Resolves: rhbz#2238884
-  Resolves: rhbz#2259264
-
-* Thu Jul 07 2022 Robbie Harwood <rharwood@redhat.com> - 15.6-2
- Add pjones's aarch64 relocation fix
- Resolves: #2101248
-
-* Wed Jun 15 2022 Peter Jones <pjones@redhat.com> - 15.6-1
- Update to shim-15.6
-  Resolves: CVE-2022-28737
+* Tue Jan 21 2020 Peter Jones <pjones@redhat.com> - 15-2
+- Fix a minor rebuild issue; note that this means it won't match the
+  result that's in shim-15-8.

 * Thu Apr 05 2018 Peter Jones <pjones@redhat.com> - 15-1
 - Update to shim 15
--- a/shim.patches
+++ b/shim.patches
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (shim-16.1.tar.bz2) = ca5f80e82f3b80b622028f03ef23105c98ee1b6a25f52a59c823080a3202dd4b9962266489296e99f955eb92e36ce13e0b1d57f688350006bba45f2718f159fb
+SHA512 (shim-15.tar.bz2) = f7dfac774d644111431ca56da76b5575b891b0abad970b318edaede11a0d83c869728bc39cb6af3689bdb203c6826545caf8ddd3d14228831027e334963cf957
Author	SHA1	Message	Date
Peter Jones	e9819de685	Fix a minor rebuild issue; note that this means it won't match the result that's in shim-15-8. Signed-off-by: Peter Jones <pjones@redhat.com>	2020-01-21 16:09:39 -05:00
Igor Gnatenko	77ddce85cc	add BuildRequires: gcc Reference: https://fedoraproject.org/wiki/Changes/Remove_GCC_from_BuildRoot	2020-01-21 15:44:37 -05:00