Nerf debuginfo generation on aarch64

Our DSOs currently don't wind up having a build-id, which means we can't correctly generate debuginfo. It'll have to be fixed later. Signed-off-by: Peter Jones <pjones@redhat.com>
Update to shim 15.4
2021-03-30 18:02:41 -04:00 · 2021-03-30 17:25:50 -04:00
7 changed files with 85 additions and 106 deletions
--- a/shim.patches
+++ b/shim.patches
--- a/fedora-ca-20200709.cer
+++ b/fedora-ca-20200709.cer
--- a/rpminspect.yaml
+++ b/rpminspect.yaml
@ -1,41 +0,0 @@
-# rpminspect configuration
-
---
-common:
-    workdir: /var/tmp/rpminspect
-    profiledir: /usr/share/rpminspect/profiles/fedora
-koji:
-    hub: https://koji.fedoraproject.org/kojihub
-    download_ursine: https://kojipkgs.fedoraproject.org
-    download_mbs: https://kojipkgs.fedoraproject.org
-commands:
-    msgunfmt: msgunfmt
-    desktop-file-validate: desktop-file-validate
-    abidiff: abidiff
-    kmidiff: kmidiff
-    annocheck: annocheck
-    udevadm: udevadm
-vendor:
-    vendor_data_dir: /usr/share/rpminspect
-    licensedb:
-        - /usr/share/fedora-license-data/licenses/fedora-licenses.json
-    favor_release: newest
-inspections:
-    abidiff: off
-    disttag: off
-    manpage: off
-    javabytecode: off
-metadata:
-    # Required Vendor string.  This is part of the RPM header and is
-    # the value expected in packages checked by rpminspect.
-    vendor: Fedora Project
-
-    # Allowed build host subdomain.  The RPM header contains information about
-    # where the package was built.  rpminspect verifies the hostnames are in
-    # the expected subdomain listed below.
-    #
-    # This is an array of allowed subdomains.
-    buildhost_subdomain:
-        - .fedoraproject.org
-        - .bos.redhat.com
-
--- a/sbat.redhat.csv
+++ b/sbat.redhat.csv
@ -0,0 +1 @@
+shim.redhat,1,The Fedora Project,shim,15.3,https://src.fedoraproject.org/rpms/shim-unsigned-x64
--- a/sbat.redhat.csv.in
+++ b/sbat.redhat.csv.in
@ -1,3 +0,0 @@
-shim.rh,3,The Fedora Project,shim,@@VERSION@@,https://src.fedoraproject.org/rpms/shim-unsigned-aarch64
-shim.redhat,3,The Fedora Project,shim,@@VERSION@@,https://src.fedoraproject.org/rpms/shim-unsigned-aarch64
-shim.fedora,3,The Fedora Project,shim,@@VERSION@@-@@RELEASE@@,https://src.fedoraproject.org/rpms/shim-unsigned-aarch64
--- a/shim-unsigned-aarch64.spec
+++ b/shim-unsigned-aarch64.spec
@ -1,55 +1,46 @@
 %global pesign_vre 0.106-1
+%global gnuefi_vre 1:3.0.8-1
 %global openssl_vre 1.0.2j
-%global shim_commit_id afc49558b34548644c1cd0ad1b6526a9470182ed
-
-# For prereleases, % global prerelease rc2, and downpatch Makefile
-%if %{defined prerelease}
-%global dashpre -%{prerelease}
-%global dotpre .%{prerelease}
-%global tildepre ~%{prerelease}
-%global zdpd 0%{dotpre}.
-%endif

 %global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
 %global shimrootdir %{_datadir}/shim/
 %global shimversiondir %{shimrootdir}/%{version}-%{release}
 %global efiarch aa64
 %global shimdir %{shimversiondir}/%{efiarch}
+%global efialtarch arm
+%global shimaltdir %{shimversiondir}/%{efialtarch}

 %global debug_package %{nil}
 %global __debug_package 1
+%global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch}
 %global _binaries_in_noarch_packages_terminate_build 0
-%global __debug_install_post %{SOURCE100} %{efiarch}
 %undefine _debuginfo_subpackages

 # currently here's what's in our dbx: nothing
 %global dbxfile %{nil}

 Name:		shim-unsigned-aarch64
-Version:	16.1
-Release:	1
+Version:	15.4
+Release:	1%{?dist}
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	aarch64
-License:	BSD-2-Clause AND OpenSSL
+License:	BSD
 URL:		https://github.com/rhboot/shim
-Source0:	https://github.com/rhboot/shim/releases/download/%{version}%{?dashpre}/shim-%{version}%{?dotpre}.tar.bz2
+Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
 Source1:	fedora-ca-20200709.cer
 %if 0%{?dbxfile}
 Source2:	%{dbxfile}
 %endif
-Source3:	sbat.redhat.csv.in
-Source4:	shim.patches
+Source3:	sbat.redhat.csv

 Source100:	shim-find-debuginfo.sh

-%include %{SOURCE4}
-
 BuildRequires:	gcc make
 BuildRequires:	elfutils-libelf-devel
 BuildRequires:	git openssl-devel openssl
 BuildRequires:	pesign >= %{pesign_vre}
 BuildRequires:	dos2unix findutils
-BuildRequires:	sed
+BuildRequires:	binutils-arm-linux-gnu gcc-arm-linux-gnu

 # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
 # compatible with SysV (there's no red zone under UEFI) and there isn't a
@ -68,14 +59,30 @@ use this package or when debugging this package.
 %description
 %desc

+%package -n shim-unsigned-%{efialtarch}
+Summary:	First-stage UEFI bootloader (unsigned data)
+Provides:	bundled(openssl) = %{openssl_vre}
+
+%description -n shim-unsigned-%{efialtarch}
+%desc
+
+%if 0
 %package debuginfo
-Summary:	Debug information for shim-unsigned-aarch64
+Summary:	Debug information for shim-unsigned-%{efiarch}
 AutoReqProv:	0
 BuildArch:	noarch

 %description debuginfo
 %debug_desc

+%package -n shim-unsigned-%{efialtarch}-debuginfo
+Summary:	Debug information for shim-unsigned-%{efialtarch}
+AutoReqProv:	0
+BuildArch:	noarch
+
+%description -n shim-unsigned-%{efialtarch}-debuginfo
+%debug_desc
+
 %package debugsource
 Summary:	Debug Source for shim-unsigned
 AutoReqProv:	0
@ -83,28 +90,28 @@ BuildArch:	noarch

 %description debugsource
 %debug_desc
+%endif

 %prep
-%autosetup -S git_am -n shim-%{version}
+%autosetup -S git -n shim-%{version}
 git config --unset user.email
 git config --unset user.name
 mkdir build-%{efiarch}
-sed -e 's/@@VERSION@@/%{version}/g' \
-    -e 's/@@RELEASE@@/%{release}/g' \
-    < %{SOURCE3} > data/sbat.redhat.csv
+mkdir build-%{efialtarch}
+cp %{SOURCE3} data/

 %build
-COMMIT_ID=%{shim_commit_id}
-MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
+COMMITID=$(cat commit)
+MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_SHIM_HASH=true "
-MAKEFLAGS+=" %{_smp_mflags} "
+MAKEFLAGS+="%{_smp_mflags}"
 if [ -f "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
 fi
 %if 0%{?dbxfile}
 if [ -f "%{SOURCE2}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
 %endif

@ -114,17 +121,24 @@ make ${MAKEFLAGS} \
 	all
 cd ..

+cd build-%{efialtarch}
+make ${MAKEFLAGS} \
+	ARCH=%{efialtarch} CROSS_COMPILE=arm-linux-gnu- \
+	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
+	all
+cd ..
+
 %install
-COMMIT_ID=%{shim_commit_id}
-MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
+COMMITID=$(cat commit)
+MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_SHIM_HASH=true "
 if [ -f "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
 fi
 %if 0%{?dbxfile}
 if [ -f "%{SOURCE2}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
 %endif

@ -132,8 +146,23 @@ cd build-%{efiarch}
 make ${MAKEFLAGS} \
 	DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \
 	DESTDIR=${RPM_BUILD_ROOT} \
+%if 0
 	install-as-data install-debuginfo install-debugsource
-install -m 0644 BOOT*.CSV "${RPM_BUILD_ROOT}/%{shimdir}/"
+%else
+	install-as-data
+%endif
+cd ..
+
+cd build-%{efialtarch}
+make ${MAKEFLAGS} \
+	ARCH=%{efialtarch} CROSS_COMPILE=arm-linux-gnu- \
+	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
+	DESTDIR=${RPM_BUILD_ROOT} \
+%if 0
+	install-as-data install-debuginfo install-debugsource
+%else
+	install-as-data
+%endif
 cd ..

 %files
@ -145,38 +174,30 @@ cd ..
 %{shimdir}/*.hash
 %{shimdir}/*.CSV

+%files -n shim-unsigned-%{efialtarch}
+%license COPYRIGHT
+%dir %{shimrootdir}
+%dir %{shimversiondir}
+%dir %{shimaltdir}
+%{shimaltdir}/*.efi
+%{shimaltdir}/*.hash
+%{shimaltdir}/*.CSV
+
+%if 0
 %files debuginfo -f build-%{efiarch}/debugfiles.list

+%files -n shim-unsigned-%{efialtarch}-debuginfo -f build-%{efialtarch}/debugfiles.list
+
 %files debugsource -f build-%{efiarch}/debugsource.list
+%endif

 %changelog
-* Wed Sep 03 2025 Peter Jones <pjones@redhat.com> - 16.1-1
- Update to shim-16.1
-
-* Fri Mar 22 2024 Nicolas Frayer <nfrayer@redhat.com>
- Migrate to SPDX license
- Please refer to https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_2
-
-* Thu Mar 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2
- Update to shim-15.8
-  Resolves: CVE-2023-40546
-  Resolves: CVE-2023-40547
-  Resolves: CVE-2023-40548
-  Resolves: CVE-2023-40549
-  Resolves: CVE-2023-40550
-  Resolves: CVE-2023-40551
-  Resolves: rhbz#2113005
-  Resolves: rhbz#2189197
-  Resolves: rhbz#2238884
-  Resolves: rhbz#2259264
-
-* Thu Jul 07 2022 Robbie Harwood <rharwood@redhat.com> - 15.6-2
- Add pjones's aarch64 relocation fix
- Resolves: #2101248
-
-* Wed Jun 15 2022 Peter Jones <pjones@redhat.com> - 15.6-1
- Update to shim-15.6
-  Resolves: CVE-2022-28737
+* Tue Mar 30 2021 Peter Jones <pjones@redhat.com> - 15.4-1
+- Update to shim 15.4
+  - Support for revocations via the ".sbat" section and SBAT EFI variable
+  - A new unit test framework and a bunch of unit tests
+  - No external gnu-efi dependency
+  - Better CI

 * Thu Apr 05 2018 Peter Jones <pjones@redhat.com> - 15-1
 - Update to shim 15
--- a/3
+++ b/3
@ -1 +1,2 @@
-SHA512 (shim-16.1.tar.bz2) = ca5f80e82f3b80b622028f03ef23105c98ee1b6a25f52a59c823080a3202dd4b9962266489296e99f955eb92e36ce13e0b1d57f688350006bba45f2718f159fb
+SHA512 (shim-15.tar.bz2) = f7dfac774d644111431ca56da76b5575b891b0abad970b318edaede11a0d83c869728bc39cb6af3689bdb203c6826545caf8ddd3d14228831027e334963cf957
+SHA512 (shim-15.4.tar.bz2) = b9712fe6964f60de251f1bff83914c4aac0f6430474c44741c059f31b72c2d5987c313cbb5e8bc07bfd04e61e6b511ea2d19a9975cde8c6127bc05f2de834526
				`@ -0,0 +1 @@`
				`shim.redhat,1,The Fedora Project,shim,15.3,https://src.fedoraproject.org/rpms/shim-unsigned-x64`