diff --git a/SOURCES/0001-Fix-the-potential-buffer-overflow.patch b/SOURCES/0001-Fix-the-potential-buffer-overflow.patch new file mode 100644 index 00000000..ef8518fe --- /dev/null +++ b/SOURCES/0001-Fix-the-potential-buffer-overflow.patch @@ -0,0 +1,36 @@ +From 1313fa02a5b2bfe61ee6702696600fc148ec2d6e Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Tue, 4 Nov 2014 15:50:03 +0800 +Subject: [PATCH 1/7] Fix the potential buffer overflow + +Signed-off-by: Gary Ching-Pang Lin +--- + src/mokutil.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 5b34f22..93fb6fa 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -1743,7 +1743,7 @@ set_toggle (const char * VarName, uint32_t state) + MokToggleVar tvar; + char *password = NULL; + unsigned int pw_len; +- efi_char16_t efichar_pass[SB_PASSWORD_MAX]; ++ efi_char16_t efichar_pass[SB_PASSWORD_MAX+1]; + int ret = -1; + + printf ("password length: %d~%d\n", SB_PASSWORD_MIN, SB_PASSWORD_MAX); +@@ -1757,8 +1757,7 @@ set_toggle (const char * VarName, uint32_t state) + efichar_from_char (efichar_pass, password, + SB_PASSWORD_MAX * sizeof(efi_char16_t)); + +- memcpy(tvar.password, efichar_pass, +- SB_PASSWORD_MAX * sizeof(efi_char16_t)); ++ memcpy(tvar.password, efichar_pass, sizeof(tvar.password)); + + tvar.mok_toggle_state = state; + +-- +2.7.4 + diff --git a/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch b/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch new file mode 100644 index 00000000..de24b1c7 --- /dev/null +++ b/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch @@ -0,0 +1,34 @@ +From cdb4b6f3bfd6ada6558ddfb889e27150f0841b28 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Mon, 24 Nov 2014 11:38:54 +0800 +Subject: [PATCH 2/7] Fix the 32bit signedness comparison + +--- + src/mokutil.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 93fb6fa..a7e83f7 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -1284,7 +1284,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req, + + /* Mok */ + read_size = read (fd, ptr, sizes[i]); +- if (read_size < 0 || read_size != sizes[i]) { ++ if (read_size < 0 || read_size != (int64_t)sizes[i]) { + fprintf (stderr, "Failed to read %s\n", files[i]); + goto error; + } +@@ -1645,7 +1645,7 @@ export_moks () + goto error; + } + +- while (offset < list[i].mok_size) { ++ while (offset < (int64_t)list[i].mok_size) { + write_size = write (fd, list[i].mok + offset, + list[i].mok_size - offset); + if (write_size < 0) { +-- +2.7.4 + diff --git a/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch b/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch new file mode 100644 index 00000000..80a677a3 --- /dev/null +++ b/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch @@ -0,0 +1,42 @@ +From 9eb111a7f7b897ba4ae19a68708e010a5c384260 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 19 Jun 2015 16:53:36 -0400 +Subject: [PATCH 3/7] Build with -fshort-wchar so toggle passwords work right. + +This source tree uses: + +typedef wchar_t efi_char16_t; + +to define UEFI's UCS-2 character type. On many platforms, wchar_t is +32-bits by default. As a result, efichar_from_char winds up writing +4-byte characters instead of 2-byte characters. In the case where we +hash the password in mokutil, this works fine, because the same datatype +is used, and the values are the same. But for our feature toggles, +where we store the raw data and shim is interpretting the character +array, every other character winds up being L'\0', and verification +fails. + +So always build with -fshort-wchar to ensure we get 2-byte character +storage. + +Signed-off-by: Peter Jones +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index fe28fb9..69d412a 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -37,7 +37,7 @@ else + default_strict=no + fi + +-WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11" ++WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11 -fshort-wchar" + + AC_ARG_ENABLE(strict, AS_HELP_STRING([--enable-strict],[Enable strict compilation options]), enable_strict=$enableval, + enable_strict=$default_strict) +-- +2.7.4 + diff --git a/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch b/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch new file mode 100644 index 00000000..3e75fda0 --- /dev/null +++ b/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch @@ -0,0 +1,32 @@ +From ecc8fb0d92f0f453414a98172df22e23fb5893f5 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 16 Jun 2015 17:06:30 -0400 +Subject: [PATCH 4/7] Don't allow sha1 on the mokutil command line. + +Related: rhbz#1115843 + +Signed-off-by: Peter Jones +--- + src/mokutil.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/mokutil.c b/src/mokutil.c +index a7e83f7..1fb34f9 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -1351,10 +1351,12 @@ identify_hash_type (const char *hash_str, efi_guid_t *type) + } + + switch (len) { ++#if 0 + case SHA_DIGEST_LENGTH*2: + *type = efi_guid_sha1; + hash_size = SHA_DIGEST_LENGTH; + break; ++#endif + case SHA224_DIGEST_LENGTH*2: + *type = efi_guid_sha224; + hash_size = SHA224_DIGEST_LENGTH; +-- +2.7.4 + diff --git a/SOURCES/0005-Make-all-efi_guid_t-const.patch b/SOURCES/0005-Make-all-efi_guid_t-const.patch new file mode 100644 index 00000000..0e12a37e --- /dev/null +++ b/SOURCES/0005-Make-all-efi_guid_t-const.patch @@ -0,0 +1,87 @@ +From eba569a8e6c33f07042758cbfa1706d7339464e1 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Wed, 13 Jan 2016 16:05:21 +0800 +Subject: [PATCH 5/7] Make all efi_guid_t const + +All UEFI GUIDs defined in efivar are const. Declare all of them const +to make gcc happy. + +Signed-off-by: Gary Lin +--- + src/mokutil.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 1fb34f9..d2c52b4 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -200,7 +200,7 @@ efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len) + } + + static uint32_t +-efi_hash_size (efi_guid_t *hash_type) ++efi_hash_size (const efi_guid_t *hash_type) + { + if (efi_guid_cmp (hash_type, &efi_guid_sha1) == 0) { + return SHA_DIGEST_LENGTH; +@@ -218,7 +218,7 @@ efi_hash_size (efi_guid_t *hash_type) + } + + static uint32_t +-signature_size (efi_guid_t *hash_type) ++signature_size (const efi_guid_t *hash_type) + { + uint32_t hash_size; + +@@ -439,7 +439,7 @@ list_keys (uint8_t *data, size_t data_size) + + /* match the hash in the hash array and return the index if matched */ + static int +-match_hash_array (efi_guid_t *hash_type, const void *hash, ++match_hash_array (const efi_guid_t *hash_type, const void *hash, + const void *hash_array, const uint32_t array_size) + { + uint32_t hash_size, hash_count; +@@ -469,8 +469,8 @@ match_hash_array (efi_guid_t *hash_type, const void *hash, + } + + static int +-delete_data_from_list (efi_guid_t *var_guid, const char *var_name, +- efi_guid_t *type, void *data, uint32_t data_size) ++delete_data_from_list (const efi_guid_t *var_guid, const char *var_name, ++ const efi_guid_t *type, void *data, uint32_t data_size) + { + uint8_t *var_data = NULL; + size_t var_data_size = 0; +@@ -1006,8 +1006,8 @@ is_valid_cert (void *cert, uint32_t cert_size) + } + + static int +-is_duplicate (efi_guid_t *type, const void *data, const uint32_t data_size, +- efi_guid_t *vendor, const char *db_name) ++is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size, ++ const efi_guid_t *vendor, const char *db_name) + { + uint8_t *var_data; + size_t var_data_size; +@@ -1059,7 +1059,7 @@ done: + } + + static int +-is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size, ++is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size, + MokRequest req) + { + switch (req) { +@@ -1096,7 +1096,7 @@ is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size, + } + + static int +-in_pending_request (efi_guid_t *type, void *data, uint32_t data_size, ++in_pending_request (const efi_guid_t *type, void *data, uint32_t data_size, + MokRequest req) + { + uint8_t *authvar_data; +-- +2.7.4 + diff --git a/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch b/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch new file mode 100644 index 00000000..a0d87f31 --- /dev/null +++ b/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch @@ -0,0 +1,37 @@ +From b68dca2d4de779387c4b5306bb9cfc9a3bab2572 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 14 Jun 2016 10:19:43 -0400 +Subject: [PATCH 6/7] mokutil: be explicit about file modes in all cases. + +Signed-off-by: Peter Jones +--- + src/mokutil.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index d2c52b4..d554f6c 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -574,7 +574,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name, + | EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_RUNTIME_ACCESS; + ret = efi_set_variable (*var_guid, var_name, +- var_data, total, attributes); ++ var_data, total, attributes, ++ S_IRUSR | S_IWUSR); + if (ret < 0) { + fprintf (stderr, "Failed to write variable \"%s\": %m\n", + var_name); +@@ -938,7 +939,8 @@ update_request (void *new_list, int list_len, MokRequest req, + data_size = list_len; + + if (efi_set_variable (efi_guid_shim, req_name, +- data, data_size, attributes) < 0) { ++ data, data_size, attributes, ++ S_IRUSR | S_IWUSR) < 0) { + switch (req) { + case ENROLL_MOK: + fprintf (stderr, "Failed to enroll new keys\n"); +-- +2.7.4 + diff --git a/SOURCES/0007-Add-bash-completion-file.patch b/SOURCES/0007-Add-bash-completion-file.patch new file mode 100644 index 00000000..725ad662 --- /dev/null +++ b/SOURCES/0007-Add-bash-completion-file.patch @@ -0,0 +1,98 @@ +From d16c76d139f9a9a56b49c0dd51cd9056f626031e Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 14 Jun 2016 10:20:14 -0400 +Subject: [PATCH 7/7] Add bash completion file. + +Signed-off-by: Peter Jones +--- + Makefile.am | 5 +++++ + configure.ac | 17 +++++++++++++++++ + data/mokutil | 37 +++++++++++++++++++++++++++++++++++++ + 3 files changed, 59 insertions(+) + create mode 100755 data/mokutil + +diff --git a/Makefile.am b/Makefile.am +index 9f0d419..c17cc4a 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1 +1,6 @@ + SUBDIRS = src man ++ ++if ENABLE_BASH_COMPLETION ++ bashcompletiondir = $(BASH_COMPLETION_DIR) ++ dist_bashcompletion_DATA = data/mokutil ++endif +diff --git a/configure.ac b/configure.ac +index 69d412a..7b52a06 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -86,6 +86,23 @@ AC_CHECK_FUNCS([memset]) + PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8]) + PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12]) + ++AC_ARG_WITH([bash-completion-dir], ++ AS_HELP_STRING([--with-bash-completion-dir[=PATH]], ++ [Install the bash auto-completion script in this directory. @<:@default=yes@:>@]), ++ [], ++ [with_bash_completion_dir=yes]) ++ ++if test "x$with_bash_completion_dir" = "xyes"; then ++ PKG_CHECK_MODULES([BASH_COMPLETION], [bash-completion >= 2.0], ++ [BASH_COMPLETION_DIR="`pkg-config --variable=completionsdir bash-completion`"], ++ [BASH_COMPLETION_DIR="$datadir/bash-completion/completions"]) ++else ++ BASH_COMPLETION_DIR="$with_bash_completion_dir" ++fi ++ ++AC_SUBST([BASH_COMPLETION_DIR]) ++AM_CONDITIONAL([ENABLE_BASH_COMPLETION],[test "x$with_bash_completion_dir" != "xno"]) ++ + AC_CONFIG_FILES([Makefile + src/Makefile + man/Makefile]) +diff --git a/data/mokutil b/data/mokutil +new file mode 100755 +index 0000000..800b039 +--- /dev/null ++++ b/data/mokutil +@@ -0,0 +1,37 @@ ++#!/bin/bash ++ ++_mokutil() ++{ ++ local cur=${COMP_WORDS[COMP_CWORD]} ++ ++ if [[ "$cur" == -* ]]; then ++ #COMPREPLY=( $( compgen -W "--help --list-enrolled --list-new --list-delete --import --delete --revoke-import --revoke-delete --export --password --clear-password --disable-validation --enable-validation --sb-state --test-key --reset --generate-hash --hash-file --root-pw --simple-hash" -- $cur ) ) ++ COMPREPLY=( $( compgen -W '$( _parse_help "$1" --long-help ) -h -l -N -D -i -d -x -p -c -t -f -g -P -s -X' -- "$cur" ) ) ++ [[ $COMPREPLY == *= ]] && compopt -o nospace ++ return 0 ++ fi ++ ++ case "${COMP_WORDS[COMP_CWORD-1]}" in ++ --import|-i|--delete|-d|--test-key|-t|--hash-file|-f) ++ _filedir ++ return 0 ++ ;; ++ --import-hash|--delete-hash) ++ COMPREPLY=( $( compgen -W "" ) ) ++ return 0 ++ ;; ++ --set-verbosity) ++ COMPREPLY=( $( compgen -W "true false") ) ++ return 0 ++ ;; ++ --generate-hash|-g) ++ COMPREPLY=( $( compgen -o nospace -P= -W "") ) ++ return 0 ++ ;; ++ *) ++ return 0 ++ ;; ++ esac ++} ++ ++complete -F _mokutil mokutil +-- +2.7.4 + diff --git a/SOURCES/BOOTAA64.CSV b/SOURCES/BOOTAA64.CSV new file mode 100644 index 00000000..2e50e37e Binary files /dev/null and b/SOURCES/BOOTAA64.CSV differ diff --git a/SOURCES/BOOTIA32.CSV b/SOURCES/BOOTIA32.CSV new file mode 100644 index 00000000..fa942bb1 Binary files /dev/null and b/SOURCES/BOOTIA32.CSV differ diff --git a/SOURCES/BOOTX64.CSV b/SOURCES/BOOTX64.CSV new file mode 100644 index 00000000..556c5d1e Binary files /dev/null and b/SOURCES/BOOTX64.CSV differ diff --git a/SOURCES/shimia32.efi b/SOURCES/shimia32.efi new file mode 100644 index 00000000..1684d9f8 Binary files /dev/null and b/SOURCES/shimia32.efi differ diff --git a/SOURCES/shimx64.efi b/SOURCES/shimx64.efi new file mode 100644 index 00000000..fc637756 Binary files /dev/null and b/SOURCES/shimx64.efi differ diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec new file mode 100644 index 00000000..a134e50d --- /dev/null +++ b/SPECS/shim-signed.spec @@ -0,0 +1,424 @@ +Name: shim-signed +Version: 12 +Release: 1%{?dist}%{?buildid} +Summary: First-stage UEFI bootloader +%define unsigned_release 1%{?dist} + +License: BSD +URL: http://www.codon.org.uk/~mjg59/shim/ +# incorporate mokutil for packaging simplicity +%global mokutil_version 0.3.0 +Source0: https://github.com/lcp/mokutil/archive/mokutil-%{mokutil_version}.tar.gz +Patch0001: 0001-Fix-the-potential-buffer-overflow.patch +Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch +Patch0003: 0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch +Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch +Patch0005: 0005-Make-all-efi_guid_t-const.patch +Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch +Patch0007: 0007-Add-bash-completion-file.patch + +Source1: powerel.crt +Source10: shimx64.efi +Source11: shimia32.efi +#Source12: shimaa64.efi +Source20: BOOTX64.CSV +Source21: BOOTIA32.CSV +Source22: BOOTAA64.CSV + +%ifarch x86_64 +%global efiarch X64 +%global efiarchlc x64 +%global shimsrc %{SOURCE10} +%global bootsrc %{SOURCE20} + +%global shimsrcia32 %{SOURCE11} +%global bootsrcia32 %{SOURCE21} +%define unsigned_dir_ia32 %{_datadir}/shim/ia32-%{version}-%{unsigned_release}/ +%endif +%ifarch aarch64 +%global efiarch AA64 +%global efiarchlc aa64 +#%global shimsrc %{SOURCE12} +%global bootsrc %{SOURCE22} +%endif +%define unsigned_dir %{_datadir}/shim/%{efiarchlc}-%{version}-%{unsigned_release}/ + +BuildRequires: git +BuildRequires: openssl-devel openssl +BuildRequires: pesign >= 0.106-5%{dist} +BuildRequires: efivar-devel +BuildRequires: shim-unsigned-%{efiarchlc} = %{version}-%{unsigned_release} +%ifarch x86_64 +BuildRequires: shim-unsigned-ia32 = %{version}-%{unsigned_release} +%endif + +# for mokutil's configure +BuildRequires: autoconf automake + +# Shim is only required on platforms implementing the UEFI secure boot +# protocol. The only one of those we currently wish to support is 64-bit x86. +# Adding further platforms will require adding appropriate relocation code. +ExclusiveArch: x86_64 aarch64 + +%define debug_package \ +%ifnarch noarch\ +%global __debug_package 1\ +%package -n mokutil-debuginfo\ +Summary: Debug information for package %{name}\ +Group: Development/Debug\ +AutoReqProv: 0\ +%description -n mokutil-debuginfo\ +This package provides debug information for package %{name}.\ +Debug information is useful when developing applications that use this\ +package or when debugging this package.\ +%files -n mokutil-debuginfo -f debugfiles.list\ +%defattr(-,root,root)\ +%endif\ +%{nil} + +# Figure out the right file path to use +%global efidir powerel + +%define ca_signed_arches x86_64 +%define rh_signed_arches x86_64 aarch64 + +%description +Initial UEFI bootloader that handles chaining to a trusted full bootloader +under secure boot environments. This package contains the version signed by +the UEFI signing service. + +%package -n shim-%{efiarchlc} +Summary: First-stage UEFI bootloader +Requires: mokutil = %{version}-%{release} +Provides: shim = %{version}-%{release} +Obsoletes: shim +# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not +# compatible with SysV (there's no red zone under UEFI) and there isn't a +# POSIX-style C library. +# BuildRequires: OpenSSL +Provides: bundled(openssl) = 0.9.8zb + +%description -n shim-%{efiarchlc} +Initial UEFI bootloader that handles chaining to a trusted full bootloader +under secure boot environments. This package contains the version signed by +the UEFI signing service. + +%ifarch x86_64 +%package -n shim-ia32 +Summary: First-stage UEFI bootloader +Requires: mokutil = %{version}-%{release} +# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not +# compatible with SysV (there's no red zone under UEFI) and there isn't a +# POSIX-style C library. +# BuildRequires: OpenSSL +Provides: bundled(openssl) = 0.9.8zb + +%description -n shim-ia32 +Initial UEFI bootloader that handles chaining to a trusted full bootloader +under secure boot environments. This package contains the version signed by +the UEFI signing service. +%endif + +%package -n mokutil +Summary: Utilities for managing Secure Boot/MoK keys. + +%description -n mokutil +Utilities for managing the "Machine's Own Keys" list. + +%prep +%setup -T -q -a 0 -n shim-signed-%{version} -c +git init +git config user.email "example@example.com" +git config user.name "rpmbuild -bp" +git add . +git commit -a -q -m "%{version} baseline." +cd mokutil-%{mokutil_version} +git am --ignore-whitespace --directory=mokutil-%{mokutil_version} %{patches} shim%{efiarchlc}.hash +if ! cmp shim%{efiarchlc}.hash %{unsigned_dir}shim%{efiarchlc}.hash ; then + echo Invalid signature\! > /dev/stderr + echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr + echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr + exit 1 +fi +cp %{shimsrc} shim%{efiarchlc}.efi +%ifarch x86_64 +pesign -i %{shimsrcia32} -h -P > shimia32.hash +if ! cmp shimia32.hash %{unsigned_dir_ia32}shimia32.hash ; then + echo Invalid signature\! > /dev/stderr + echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr + echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr + exit 1 +fi +cp %{shimsrcia32} shimia32.efi +%endif +%endif +%ifarch %{rh_signed_arches} +%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1} -o shim%{efiarchlc}-%{efidir}.efi +%ifarch x86_64 +%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE1} -c %{SOURCE1} -o shimia32-%{efidir}.efi +%endif +%endif +%ifarch %{rh_signed_arches} +%ifnarch %{ca_signed_arches} +cp shim%{efiarchlc}-%{efidir}.efi shim%{efiarchlc}.efi +%endif +%endif + +%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1} +%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1} + +%ifarch x86_64 +%pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE1} -c %{SOURCE1} +%pesign -s -i %{unsigned_dir_ia32}fbia32.efi -o fbia32.efi -a %{SOURCE1} -c %{SOURCE1} +%endif + +cd mokutil-%{mokutil_version} +./autogen.sh +%configure +make %{?_smp_mflags} + +%install +rm -rf $RPM_BUILD_ROOT +install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/ +install -m 0644 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi +install -m 0644 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi +install -m 0644 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi +install -m 0644 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV + +install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/ +install -m 0644 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI +install -m 0644 fb%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fb%{efiarchlc}.efi + +%ifarch aarch64 +# In case old boot entries aren't updated +install -m 0644 %{shimsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi +%endif + +%ifarch x86_64 +# In case old boot entries aren't updated +install -m 0644 shimx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi +install -m 0644 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV + +install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi +install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi +install -m 0644 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi +install -m 0644 mmia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmia32.efi +install -m 0644 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.CSV + +install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTIA32.EFI +install -m 0644 fbia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbia32.efi +%endif + +cd mokutil-%{mokutil_version} +make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install + +%files -n shim-%{efiarchlc} +/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi +/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi +/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi +/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV +/boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI +/boot/efi/EFI/BOOT/fb%{efiarchlc}.efi +/boot/efi/EFI/%{efidir}/shim.efi + +%ifarch x86_64 +/boot/efi/EFI/%{efidir}/BOOT.CSV + +%files -n shim-ia32 +/boot/efi/EFI/%{efidir}/shimia32.efi +/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi +/boot/efi/EFI/%{efidir}/mmia32.efi +/boot/efi/EFI/%{efidir}/BOOTIA32.CSV +/boot/efi/EFI/BOOT/BOOTIA32.EFI +/boot/efi/EFI/BOOT/fbia32.efi +%endif + +%files -n mokutil +%{!?_licensedir:%global license %%doc} +%license mokutil-%{mokutil_version}/COPYING +%doc mokutil-%{mokutil_version}/README +%{_bindir}/mokutil +%{_mandir}/man1/* +%{_datadir}/bash-completion/completions/mokutil + +%changelog +* Mon May 01 2017 Peter Jones - 12-1 +- Update to 12-1 to work around a signtool.exe bug + Resolves: rhbz#1445393 + +* Mon Apr 24 2017 Peter Jones - 11-4 +- Another shot at better obsoletes. + Related: rhbz#1310764 + +* Mon Apr 24 2017 Peter Jones - 11-3 +- Fix Obsoletes + Related: rhbz#1310764 + +* Thu Apr 13 2017 Peter Jones - 11-2 +- Make sure Aarch64 still has shim.efi as well + Related: rhbz#1310766 + +* Wed Apr 12 2017 Peter Jones - 11-1 +- Rebuild with signed shim + Related: rhbz#1310766 + +* Mon Apr 03 2017 Peter Jones - 11-0.1 +- Update to 11-0.1 to match shim-11-1 + Related: rhbz#1310766 +- Fix regression in PE loader + Related: rhbz#1310766 +- Fix case where BDS invokes us wrong and we exec shim again as a result + Related: rhbz#1310766 + +* Mon Mar 27 2017 Peter Jones - 10-0.1 +- Support ia32 + Resolves: rhbz#1310766 +- Handle various different load option implementation differences +- TPM 1 and TPM 2 support. +- Update to OpenSSL 1.0.2k + +* Mon Jul 20 2015 Peter Jones - 0.9-2 +- Apparently I'm *never* going to learn to build this in the right target + the first time through. + Related: rhbz#1100048 + +* Mon Jun 29 2015 Peter Jones - 0.9-0.1 +- Bump version for 0.9 + Also use mokutil-0.3.0 + Related: rhbz#1100048 + +* Tue Jun 23 2015 Peter Jones - 0.7-14.1 +- Fix mokutil_version usage. + Related: rhbz#1100048 + +* Mon Jun 22 2015 Peter Jones - 0.7-14 +- Pull in aarch64 build so they can compose that tree. + (-14 to match -unsigned) + Related: rhbz#1100048 + +* Wed Feb 25 2015 Peter Jones - 0.7-12 +- Fix some minor build bugs on Aarch64 + Related: rhbz#1190191 + +* Tue Feb 24 2015 Peter Jones - 0.7-11 +- Fix section loading on Aarch64 + Related: rhbz#1190191 + +* Wed Dec 17 2014 Peter Jones - 0.7-10 +- Rebuild for Aarch64 to get \EFI\BOOT\BOOTAA64.EFI named right. + (I managed to fix the inputs but not the outputs in -9.) + Related: rhbz#1100048 + +* Wed Dec 17 2014 Peter Jones - 0.7-9 +- Rebuild for Aarch64 to get \EFI\BOOT\BOOTAA64.EFI named right. + Related: rhbz#1100048 + +* Tue Oct 21 2014 Peter Jones - 0.7-8 +- Build for aarch64 as well + Related: rhbz#1100048 +- out-of-bounds memory read flaw in DHCPv6 packet processing + Resolves: CVE-2014-3675 +- heap-based buffer overflow flaw in IPv6 address parsing + Resolves: CVE-2014-3676 +- memory corruption flaw when processing Machine Owner Keys (MOKs) + Resolves: CVE-2014-3677 + +* Tue Sep 23 2014 Peter Jones - 0.7-7 +- Make sure we use the right keys on Aarch64. + (It's only a demo at this stage.) + Related: rhbz#1100048 + +* Tue Sep 23 2014 Peter Jones - 0.7-6 +- Add ARM Aarch64. + Related: rhbz#1100048 + +* Thu Feb 27 2014 Peter Jones - 0.7-5.2 +- Get the right signatures on shim-redhat.efi + Related: rhbz#1064449 + +* Thu Feb 27 2014 Peter Jones - 0.7-5.1 +- Update for signed shim for RHEL 7 + Resolves: rhbz#1064449 + +* Thu Nov 21 2013 Peter Jones - 0.7-5 +- Fix shim-unsigned deps. + Related: rhbz#1032583 + +* Thu Nov 21 2013 Peter Jones - 0.7-4 +- Make dhcp4 work better. + Related: rhbz#1032583 + +* Thu Nov 14 2013 Peter Jones - 0.7-3 +- Make lockdown include UEFI and other KEK/DB entries. + Related: rhbz#1030492 + +* Fri Nov 08 2013 Peter Jones - 0.7-2 +- Handle SetupMode better in lockdown as well + Related: rhbz#996863 + +* Wed Nov 06 2013 Peter Jones - 0.7-1 +- Don't treat SetupMode variable's presence as meaning we're in SetupMode. + Related: rhbz#996863 + +* Wed Nov 06 2013 Peter Jones - 0.6-3 +- Use the correct CA and signer certificates. + Related: rhbz#996863 + +* Thu Oct 31 2013 Peter Jones - 0.6-1 +- Update to 0.6-1 + Resolves: rhbz#1008379 + +* Wed Aug 07 2013 Peter Jones - 0.4-3.2 +- Depend on newer pesign. + Related: rhbz#989442 + +* Tue Aug 06 2013 Peter Jones - 0.4-3.1 +- Rebuild with newer pesign + Related: rhbz#989442 + +* Tue Aug 06 2013 Peter Jones - 0.4-3 +- Update for RHEL signing with early test keys. + Related: rhbz#989442 + +* Thu Jun 20 2013 Peter Jones - 0.4-1 +- Provide a fallback for uninitialized Boot#### and BootOrder + Resolves: rhbz#963359 +- Move all signing from shim-unsigned to here +- properly compare our generated hash from shim-unsigned with the hash of + the signed binary (as opposed to doing it manually) + +* Fri May 31 2013 Peter Jones - 0.2-4.4 +- Re-sign to get alignments that match the new specification. + Resolves: rhbz#963361 + +* Thu Feb 14 2013 Fedora Release Engineering - 0.2-4.3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jan 02 2013 Peter Jones - 0.2-3.3 +- Add obsoletes and provides for earlier shim-signed packages, to cover + the package update cases where previous versions were installed. + Related: rhbz#888026 + +* Mon Dec 17 2012 Peter Jones - 0.2-3.2 +- Make the shim-unsigned dep be on the subpackage. + +* Sun Dec 16 2012 Peter Jones - 0.2-3.1 +- Rebuild to provide "shim" package directly instead of just as a Provides: + +* Sat Dec 15 2012 Peter Jones - 0.2-3 +- Also provide shim-fedora.efi, signed only by the fedora signer. +- Fix the fedora signature on the result to actually be correct. +- Update for shim-unsigned 0.2-3 + +* Mon Dec 03 2012 Peter Jones - 0.2-2 +- Initial build