From 4f5f869d14a8c70f10e323e6b5afe0b83da6e574 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 6 Apr 2021 10:32:53 -0400 Subject: [PATCH] Update to shim 15.4 - Support for revocations via the ".sbat" section and SBAT EFI variable - A new unit test framework and a bunch of unit tests - No external gnu-efi dependency - Better CI - No more "shim*-fedora.efi", as a second safety to avoid system vendors setting up the scenario for CVE-2020-15705 - enable (unsigned) arm v6 building as an aarch64 subpackage. Resolves: CVE-2020-14372 Resolves: CVE-2020-25632 Resolves: CVE-2020-25647 Resolves: CVE-2020-27749 Resolves: CVE-2020-27779 Resolves: CVE-2021-20225 Resolves: CVE-2021-20233 Signed-off-by: Peter Jones --- shim.rpmmacros | 30 +++++++++++++++++------------- shim.spec | 24 +++++++++++++++++++----- sources | 7 ++++--- 3 files changed, 40 insertions(+), 21 deletions(-) diff --git a/shim.rpmmacros b/shim.rpmmacros index 7f16023..4e38a42 100644 --- a/shim.rpmmacros +++ b/shim.rpmmacros @@ -3,30 +3,33 @@ %global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}} %global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}} +%global grub_version 2.06~rc1 +%global fwupd_version 1.5.8 + %global bootcsvaa64 %{expand:%{SOURCE10}} +%global bootcsvarm %{expand:%{SOURCE13}} %global bootcsvia32 %{expand:%{SOURCE11}} %global bootcsvx64 %{expand:%{SOURCE12}} -#%%global bootcsvarm %%{expand:%%{SOURCE13}} %global shimefiaa64 %{expand:%{SOURCE20}} +%global shimefiarm %{expand:%{SOURCE23}} %global shimefiia32 %{expand:%{SOURCE21}} %global shimefix64 %{expand:%{SOURCE22}} -#%%global shimefiarm %%{expand:%%{SOURCE23} -%global shimveraa64 15-1.fc28 -%global shimveria32 15-1.fc28 -%global shimverx64 15-1.fc28 -#%%global shimverarm 15-1.fc28 +%global shimveraa64 15.4-1.fc34 +%global shimverarm 15.4-1.fc34 +%global shimveria32 15.4-2.fc32 +%global shimverx64 15.4-2.fc32 %global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64 +%global shimdirarm %{_datadir}/shim/%{shimverarm}/arm %global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32 %global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64 -#%%global shimdirarm %%{_datadir}/shim/%%{shimverarm}/arm %global unsignedaa64 shim-unsigned-aarch64 +%global unsignedarm shim-unsigned-arm %global unsignedia32 shim-unsigned-ia32 %global unsignedx64 shim-unsigned-x64 -#%%global unsignedarm shim-unsigned-arm %global bootcsv %{expand:%{bootcsv%{efi_arch}}} %global bootcsvalt %{expand:%{bootcsv%{?efi_alt_arch}}} @@ -44,10 +47,13 @@ %define define_pkg(a:p:) \ %{expand:%%package -n shim-%{-a*}} \ Summary: First-stage UEFI bootloader \ -Requires: mokutil >= 1:0.2.0-1 \ +Requires: mokutil >= 1:0.3.0-15 \ Requires: efi-filesystem \ Provides: shim-signed-%{-a*} = %{version}-%{release} \ -Requires: dbxtool >= 0.6-3 \ +Requires: fwupd >= %{fwupd_version} \ +Conflicts: fwupd < %{fwupd_version} \ +Requires: grub2-efi-%{-a*} >= %{grub_version} \ +Conflicts: grub2-efi-%{-a*} < %{grub_version} \ %{expand:%%if 0%%{-p*} \ Provides: shim = %{version}-%{release} \ Provides: shim-signed = %{version}-%{release} \ @@ -107,7 +113,7 @@ if [ "%{-b*}" = "yes" ]; then \ %{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}} \ mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi \ fi \ -if [ "%{-c*}" = "no" ]; then \ +if [ "%{-c*}" = "no" ] && [ "%{-b*}" = "yes" ]; then \ cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi \ fi \ %{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}} \ @@ -126,8 +132,6 @@ rm -vf \\\ %define do_install(a:A:b:) \ install -m 0700 shim%{-a*}.efi \\\ $RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}.efi \ -install -m 0700 shim%{-a*}-%{efi_vendor}.efi \\\ - $RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}-%{efi_vendor}.efi \ install -m 0700 mm%{-a*}.efi \\\ $RPM_BUILD_ROOT%{efi_esp_dir}/mm%{-a*}.efi \ install -m 0700 %{-b*} \\\ diff --git a/shim.spec b/shim.spec index 32a0770..fda0a97 100644 --- a/shim.spec +++ b/shim.spec @@ -4,8 +4,8 @@ %global dist %{expand:%%{_dist}} Name: shim -Version: 15 -Release: 8%{?dist} +Version: 15.4 +Release: 2%{?dist} Summary: First-stage UEFI bootloader License: BSD URL: https://github.com/rhboot/shim/ @@ -15,7 +15,7 @@ BuildRequires: efi-srpm-macros >= 3-2 ExclusiveArch: %{efi} # but we don't build a .i686 package, just a shim-ia32.x86_64 package ExcludeArch: %{ix86} -# and we don't have shim-unsigned-arm builds *yet* +# but we don't build a .arm package, just a shim-arm.aarch64 package ExcludeArch: %{arm} Source0: shim.rpmmacros @@ -69,9 +69,9 @@ mkdir shim-%{version} cd shim-%{version} %if %{efi_has_alt_arch} -%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{shimdiralt} +%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b no -c %{is_alt_signed} -d %{shimdiralt} %endif -%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{shimdir} +%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b no -c %{is_signed} -d %{shimdir} %install rm -rf $RPM_BUILD_ROOT @@ -103,6 +103,20 @@ install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi %endif %changelog +* Tue Apr 06 2021 Peter Jones - 15.4-2 +- Update to shim 15.4 + - Support for revocations via the ".sbat" section and SBAT EFI variable + - A new unit test framework and a bunch of unit tests + - No external gnu-efi dependency + - Better CI + Resolves: CVE-2020-14372 + Resolves: CVE-2020-25632 + Resolves: CVE-2020-25647 + Resolves: CVE-2020-27749 + Resolves: CVE-2020-27779 + Resolves: CVE-2021-20225 + Resolves: CVE-2021-20233 + * Tue Oct 02 2018 Peter Jones - 15-8 - Build a -8 because I can't tag -7 into f30 for pretty meh reasons. diff --git a/sources b/sources index 5849284..d2cdc0d 100644 --- a/sources +++ b/sources @@ -1,3 +1,4 @@ -SHA512 (shimia32.efi) = e249199f91a97ea13554a1f0aa6eb4df228b3d604487dabb83e53172b79765015e3eb593c488a8edd24ec618fe4943313708405383cc28ae436ec48202d6300b -SHA512 (shimx64.efi) = 52e08b6e1686b19fea9e8f8d8ca51d22bba252467ceaf6db6ead8dd2dca4a0b0b02e547e50ddf1cdee225b8785f8514f6baa846bdf1ea0bf994e772daf70f2c3 -SHA512 (shimaa64.efi) = 39aec528ac1999a980a2989089e12d5765a0a28f4452d22a7e325c3fb11ab48417a76d4eb2246963e72ab3166e2905ebf04637ee7977dc083253c7129fa0d672 +SHA512 (shimx64.efi) = 121317e73762348a6990f135094a50020820c5fa10e5eaf1f61eb27367106736036ed72ee13935a1db9bdd5161095c7714a2049f161259cf5e8209fa83471fe1 +SHA512 (shimia32.efi) = 7c196b19bfad52913cacc245108d7146db3d0b4ce531d31c3d9ae905be09975fc6830285be913b712a6f928e564ee9f4fefbc2bffa3834a09c705ede6b55b599 +SHA512 (shimaa64.efi) = 8888af983c5b5293db092aac1b6339d775fef79c28054c25a1e8e3fe4f2b28b31b672fcc07d29e4dbfdcdfc2493103c6c5a1a9d50cb4d4539d66ce7395b33913 +SHA512 (shimarm.efi) = c5ccb61fd3e0ea80076795052e069c4645e7a17dc28360cd0f914ad200fce73434135acf36d905594fd0993fa41e6ee80ecebda546a6a1a5ad3372e75cb1635b