From 1981b64dc3fc5145b0d4a09e94c9259ff90981b5 Mon Sep 17 00:00:00 2001
From: Sandro Bonazzola <sbonazzo@redhat.com>
Date: Fri, 9 Jun 2023 15:04:28 +0200
Subject: [PATCH] Fixes permissions on /boot/efi/EFI

Resolves: rhbz#2144459

Signed-off-by: Sandro Bonazzola <sbonazzo@redhat.com>
---
 ...efile-fix-permission-on-boot-efi-EFI.patch | 29 +++++++++++++++++++
 efi-rpm-macros.spec                           |  7 ++++-
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 0002-Makefile-fix-permission-on-boot-efi-EFI.patch

diff --git a/0002-Makefile-fix-permission-on-boot-efi-EFI.patch b/0002-Makefile-fix-permission-on-boot-efi-EFI.patch
new file mode 100644
index 0000000..a8635f9
--- /dev/null
+++ b/0002-Makefile-fix-permission-on-boot-efi-EFI.patch
@@ -0,0 +1,29 @@
+From 110b9c24200ff90c5d09cc2bf41df728810a0e0e Mon Sep 17 00:00:00 2001
+From: Sandro Bonazzola <sbonazzo@redhat.com>
+Date: Wed, 3 May 2023 11:20:36 +0200
+Subject: [PATCH] Makefile: fix permission on /boot/efi/EFI
+
+Ensure /boot/efi/EFI is created with 0700 mode.
+
+Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=2144459
+
+Signed-off-by: Sandro Bonazzola <sbonazzo@redhat.com>
+---
+ Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Makefile b/Makefile
+index 7d56eae..37e97a5 100644
+--- a/Makefile
++++ b/Makefile
+@@ -65,6 +65,7 @@ install : $(TARGETS)
+ 		install -d -m 0755 $(DESTDIR)/boot ; \
+ 	fi
+ 	install -d -m 0700 $(DESTDIR)/$(EFI_ESP_ROOT)
++	install -d -m 0700 $(DESTDIR)/$(EFI_ESP_ROOT)/EFI
+ 	install -d -m 0700 $(DESTDIR)/$(EFI_ESP_ROOT)/EFI/BOOT
+ 	install -d -m 0700 $(DESTDIR)/$(EFI_ESP_ROOT)/EFI/$(EFI_VENDOR)
+ 
+-- 
+2.40.1
+
diff --git a/efi-rpm-macros.spec b/efi-rpm-macros.spec
index 2378c30..3b673fd 100644
--- a/efi-rpm-macros.spec
+++ b/efi-rpm-macros.spec
@@ -1,7 +1,7 @@
 Summary: Common RPM Macros for building EFI-related packages
 Name: efi-rpm-macros
 Version: 5
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: GPLv3+
 URL: https://github.com/rhboot/%{name}/
 BuildRequires: git sed
@@ -11,6 +11,7 @@ BuildArch: noarch
 Source0: https://github.com/rhboot/%{name}/releases/download/%{version}/%{name}-5.tar.bz2
 
 Patch0001: 0001-Don-t-have-arm-as-an-alt-arch-of-aarch64.patch
+Patch0002: 0002-Makefile-fix-permission-on-boot-efi-EFI.patch
 
 %global debug_package %{nil}
 %global _efi_vendor_ %(eval echo $(sed -n -e 's/rhel/redhat/' -e 's/^ID=//p' /etc/os-release))
@@ -68,6 +69,10 @@ git config --local --add efi.arches "x86_64 aarch64 %{arm} %{ix86}"
 %dir /boot/efi/EFI/%{_efi_vendor_}
 
 %changelog
+* Fri Jun 09 2023 Sandro Bonazzola <sbonazzo@redhat.com> - 5-8
+- Fixes permissions on /boot/efi/EFI
+- Resolves: rhbz#2144459
+
 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild