Toshaan Bharvani
1 year ago
commit
edf54df1ce
5 changed files with 353 additions and 0 deletions
Binary file not shown.
@ -0,0 +1,95 @@
@@ -0,0 +1,95 @@
|
||||
#!/bin/bash |
||||
# |
||||
# shim-find-debuginfo.sh |
||||
# Copyright (C) 2017 Peter Jones <Peter Jones@random> |
||||
# |
||||
# Distributed under terms of the GPLv3 license. |
||||
# |
||||
set -e |
||||
set -u |
||||
|
||||
mainarch=$1 && shift |
||||
if [ $# == 1 ]; then |
||||
altarch=$1 && shift |
||||
fi |
||||
if ! [ -v RPM_BUILD_ROOT ]; then |
||||
echo "RPM_BUILD_ROOT must be set" 1>&2 |
||||
exit 1 |
||||
fi |
||||
|
||||
findsource() |
||||
{ |
||||
( |
||||
cd "${RPM_BUILD_ROOT}" |
||||
find usr/src/debug/ -type d | sed -e "s,^,%dir /," | sort -u | tac |
||||
find usr/src/debug/ -type f | sed -e "s,^,/," | sort -u | tac |
||||
) |
||||
} |
||||
|
||||
finddebug() |
||||
{ |
||||
arch=$1 && shift |
||||
declare -a dirs=() |
||||
declare -a files=() |
||||
declare -a excludes=() |
||||
declare -a tmp=() |
||||
|
||||
pushd "${RPM_BUILD_ROOT}" >/dev/null 2>&1 |
||||
|
||||
mapfile -t tmp < <(find usr/lib/debug/ -type f -iname "*.efi.debug") |
||||
for x in "${tmp[@]}" ; do |
||||
if ! [ -e "${x}" ]; then |
||||
break |
||||
fi |
||||
if [[ ${x} =~ ${arch}\.efi\.debug$ ]]; then |
||||
files[${#files[@]}]=${x} |
||||
else |
||||
excludes[${#excludes[@]}]=${x} |
||||
fi |
||||
done |
||||
for x in usr/lib/debug/.build-id/*/*.debug ; do |
||||
if ! [ -e "${x}" ]; then |
||||
break |
||||
fi |
||||
link=$(readlink "${x}") |
||||
if [[ ${link} =~ ${arch}\.efi\.debug$ ]]; then |
||||
files[${#files[@]}]=${x} |
||||
files[${#files[@]}]=${x%%.debug} |
||||
else |
||||
excludes[${#excludes[@]}]=${x} |
||||
excludes[${#excludes[@]}]=${x%%.debug} |
||||
fi |
||||
done |
||||
for x in "${files[@]}" ; do |
||||
declare name |
||||
|
||||
name=$(dirname "/${x}") |
||||
while [ "${name}" != "/" ]; do |
||||
case "${name}" in |
||||
"/usr/lib/debug"|"/usr/lib"|"/usr") |
||||
;; |
||||
*) |
||||
dirs[${#dirs[@]}]=${name} |
||||
;; |
||||
esac |
||||
name=$(dirname "${name}") |
||||
done |
||||
done |
||||
|
||||
popd >/dev/null 2>&1 |
||||
for x in "${dirs[@]}" ; do |
||||
echo "%dir ${x}" |
||||
done | sort | uniq |
||||
for x in "${files[@]}" ; do |
||||
echo "/${x}" |
||||
done | sort | uniq |
||||
for x in "${excludes[@]}" ; do |
||||
echo "%exclude /${x}" |
||||
done |
||||
} |
||||
|
||||
findsource > "build-${mainarch}/debugsource.list" |
||||
finddebug "${mainarch}" > "build-${mainarch}/debugfiles.list" |
||||
if [ -v altarch ]; then |
||||
finddebug "${altarch}" > "build-${altarch}/debugfiles.list" |
||||
fi |
||||
@ -0,0 +1,257 @@
@@ -0,0 +1,257 @@
|
||||
%global pesign_vre 0.106-1 |
||||
%global openssl_vre 1.0.2j |
||||
|
||||
%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/')) |
||||
%global shimrootdir %{_datadir}/shim/ |
||||
%global shimversiondir %{shimrootdir}/%{version}-%{release} |
||||
%global efiarch x64 |
||||
%global shimdir %{shimversiondir}/%{efiarch} |
||||
%global efialtarch ia32 |
||||
%global shimaltdir %{shimversiondir}/%{efialtarch} |
||||
|
||||
%global debug_package %{nil} |
||||
%global __debug_package 1 |
||||
%global _binaries_in_noarch_packages_terminate_build 0 |
||||
%global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch} |
||||
%undefine _debuginfo_subpackages |
||||
|
||||
# currently here's what's in our dbx: nothing |
||||
%global dbxfile %{nil} |
||||
|
||||
Name: shim-unsigned-%{efiarch} |
||||
Version: 15.6 |
||||
Release: 1.el9 |
||||
Summary: First-stage UEFI bootloader |
||||
ExclusiveArch: x86_64 |
||||
License: BSD |
||||
URL: https://github.com/rhboot/shim |
||||
Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 |
||||
Source1: redhatsecurebootca5.cer |
||||
%if 0%{?dbxfile} |
||||
Source2: %{dbxfile} |
||||
%endif |
||||
Source3: sbat.redhat.csv |
||||
Source4: shim.patches |
||||
|
||||
Source100: shim-find-debuginfo.sh |
||||
|
||||
%include %{SOURCE4} |
||||
|
||||
BuildRequires: gcc make |
||||
BuildRequires: elfutils-libelf-devel |
||||
BuildRequires: git openssl-devel openssl |
||||
BuildRequires: pesign >= %{pesign_vre} |
||||
BuildRequires: dos2unix findutils |
||||
|
||||
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not |
||||
# compatible with SysV (there's no red zone under UEFI) and there isn't a |
||||
# POSIX-style C library. |
||||
# BuildRequires: OpenSSL |
||||
Provides: bundled(openssl) = %{openssl_vre} |
||||
|
||||
%global desc \ |
||||
Initial UEFI bootloader that handles chaining to a trusted full \ |
||||
bootloader under secure boot environments. |
||||
%global debug_desc \ |
||||
This package provides debug information for package %{expand:%%{name}} \ |
||||
Debug information is useful when developing applications that \ |
||||
use this package or when debugging this package. |
||||
|
||||
%description |
||||
%desc |
||||
|
||||
%package -n shim-unsigned-%{efialtarch} |
||||
Summary: First-stage UEFI bootloader (unsigned data) |
||||
Provides: bundled(openssl) = %{openssl_vre} |
||||
|
||||
%description -n shim-unsigned-%{efialtarch} |
||||
%desc |
||||
|
||||
%package debuginfo |
||||
Summary: Debug information for shim-unsigned-%{efiarch} |
||||
Group: Development/Debug |
||||
AutoReqProv: 0 |
||||
BuildArch: noarch |
||||
|
||||
%description debuginfo |
||||
%debug_desc |
||||
|
||||
%package -n shim-unsigned-%{efialtarch}-debuginfo |
||||
Summary: Debug information for shim-unsigned-%{efialtarch} |
||||
Group: Development/Debug |
||||
AutoReqProv: 0 |
||||
BuildArch: noarch |
||||
|
||||
%description -n shim-unsigned-%{efialtarch}-debuginfo |
||||
%debug_desc |
||||
|
||||
%package debugsource |
||||
Summary: Debug Source for shim-unsigned |
||||
Group: Development/Debug |
||||
AutoReqProv: 0 |
||||
BuildArch: noarch |
||||
|
||||
%description debugsource |
||||
%debug_desc |
||||
|
||||
%prep |
||||
%autosetup -S git_am -n shim-%{version} |
||||
git config --unset user.email |
||||
git config --unset user.name |
||||
mkdir build-%{efiarch} |
||||
mkdir build-%{efialtarch} |
||||
cp %{SOURCE3} data/ |
||||
|
||||
%build |
||||
COMMITID=$(cat commit) |
||||
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " |
||||
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " |
||||
MAKEFLAGS+="ENABLE_SHIM_HASH=true " |
||||
MAKEFLAGS+="%{_smp_mflags}" |
||||
if [ -f "%{SOURCE1}" ]; then |
||||
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" |
||||
fi |
||||
%if 0%{?dbxfile} |
||||
if [ -f "%{SOURCE2}" ]; then |
||||
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" |
||||
fi |
||||
%endif |
||||
|
||||
cd build-%{efiarch} |
||||
make ${MAKEFLAGS} \ |
||||
DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \ |
||||
all |
||||
cd .. |
||||
|
||||
%install |
||||
COMMITID=$(cat commit) |
||||
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " |
||||
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " |
||||
MAKEFLAGS+="ENABLE_SHIM_HASH=true " |
||||
if [ -f "%{SOURCE1}" ]; then |
||||
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" |
||||
fi |
||||
%if 0%{?dbxfile} |
||||
if [ -f "%{SOURCE2}" ]; then |
||||
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" |
||||
fi |
||||
%endif |
||||
|
||||
cd build-%{efiarch} |
||||
make ${MAKEFLAGS} \ |
||||
DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \ |
||||
DESTDIR=${RPM_BUILD_ROOT} \ |
||||
install-as-data install-debuginfo install-debugsource |
||||
cd .. |
||||
|
||||
%files |
||||
%license COPYRIGHT |
||||
%dir %{shimrootdir} |
||||
%dir %{shimversiondir} |
||||
%dir %{shimdir} |
||||
%{shimdir}/*.efi |
||||
%{shimdir}/*.hash |
||||
%{shimdir}/*.CSV |
||||
|
||||
%files debuginfo -f build-%{efiarch}/debugfiles.list |
||||
|
||||
%files debugsource -f build-%{efiarch}/debugsource.list |
||||
|
||||
%changelog |
||||
* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el9 |
||||
- Update to shim-15.6 |
||||
Resolves: CVE-2022-28737 |
||||
|
||||
* Wed Mar 09 2022 Peter Jones <pjones@redhat.com> - 15.5-1 |
||||
- Update to shim-15.5 |
||||
Related: rhbz#1932057 |
||||
|
||||
* Thu Apr 01 2021 Peter Jones <pjones@redhat.com> - 15.4-4 |
||||
- Fix the sbat data to actually match /this/ product. |
||||
Resolves: CVE-2020-14372 |
||||
Resolves: CVE-2020-25632 |
||||
Resolves: CVE-2020-25647 |
||||
Resolves: CVE-2020-27749 |
||||
Resolves: CVE-2020-27779 |
||||
Resolves: CVE-2021-20225 |
||||
Resolves: CVE-2021-20233 |
||||
|
||||
* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-3 |
||||
- Build with the correct certificate trust list for this OS. |
||||
Resolves: CVE-2020-14372 |
||||
Resolves: CVE-2020-25632 |
||||
Resolves: CVE-2020-25647 |
||||
Resolves: CVE-2020-27749 |
||||
Resolves: CVE-2020-27779 |
||||
Resolves: CVE-2021-20225 |
||||
Resolves: CVE-2021-20233 |
||||
|
||||
* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-2 |
||||
- Fix the ia32 build. |
||||
Resolves: CVE-2020-14372 |
||||
Resolves: CVE-2020-25632 |
||||
Resolves: CVE-2020-25647 |
||||
Resolves: CVE-2020-27749 |
||||
Resolves: CVE-2020-27779 |
||||
Resolves: CVE-2021-20225 |
||||
Resolves: CVE-2021-20233 |
||||
|
||||
* Tue Mar 30 2021 Peter Jones <pjones@redhat.com> - 15.4-1 |
||||
- Update to shim 15.4 |
||||
- Support for revocations via the ".sbat" section and SBAT EFI variable |
||||
- A new unit test framework and a bunch of unit tests |
||||
- No external gnu-efi dependency |
||||
- Better CI |
||||
Resolves: CVE-2020-14372 |
||||
Resolves: CVE-2020-25632 |
||||
Resolves: CVE-2020-25647 |
||||
Resolves: CVE-2020-27749 |
||||
Resolves: CVE-2020-27779 |
||||
Resolves: CVE-2021-20225 |
||||
Resolves: CVE-2021-20233 |
||||
|
||||
* Wed Mar 24 2021 Peter Jones <pjones@redhat.com> - 15.3-0~1 |
||||
- Update to shim 15.3 |
||||
- Support for revocations via the ".sbat" section and SBAT EFI variable |
||||
- A new unit test framework and a bunch of unit tests |
||||
- No external gnu-efi dependency |
||||
- Better CI |
||||
Resolves: CVE-2020-14372 |
||||
Resolves: CVE-2020-25632 |
||||
Resolves: CVE-2020-25647 |
||||
Resolves: CVE-2020-27749 |
||||
Resolves: CVE-2020-27779 |
||||
Resolves: CVE-2021-20225 |
||||
Resolves: CVE-2021-20233 |
||||
|
||||
* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3 |
||||
- Make EFI variable copying fatal only on secureboot enabled systems |
||||
Resolves: rhbz#1715878 |
||||
- Fix booting shim from an EFI shell using a relative path |
||||
Resolves: rhbz#1717064 |
||||
|
||||
* Tue Feb 12 2019 Peter Jones <pjones@redhat.com> - 15-2 |
||||
- Fix MoK mirroring issue which breaks kdump without intervention |
||||
Related: rhbz#1668966 |
||||
|
||||
* Thu Apr 05 2018 Peter Jones <pjones@redhat.com> - 15-1 |
||||
- Update to shim 15 |
||||
- better checking for bad linker output |
||||
- flicker-free console if there's no error output |
||||
- improved http boot support |
||||
- better protocol re-installation |
||||
- dhcp proxy support |
||||
- tpm measurement even when verification is disabled |
||||
- REQUIRE_TPM build flag |
||||
- more reproducable builds |
||||
- measurement of everything verified through shim_verify() |
||||
- coverity and scan-build checker make targets |
||||
- misc cleanups |
||||
|
||||
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 13-0.2 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild |
||||
|
||||
* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-0.1 |
||||
- Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one. |
||||
- This will (eventually) supersede what's in the "shim" package so we can |
||||
make "shim" hold the signed one, which will confuse fewer people. |
||||
Loading…
Reference in new issue