Require gnu-efi-3.0q for now.

- Don't allow mmx or sse during compilation. - Re-organize this so all real signing happens in shim-signed instead. - Split out mokutil
2013-06-07 16:56:37 -04:00 · 2013-06-07 16:56:37 -04:00 · 6e8ffa5826
commit 6e8ffa5826
parent fca313b4db
1 changed files with 19 additions and 17 deletions
--- a/shim.spec
+++ b/shim.spec
@ -25,11 +25,11 @@ Source3:	dbx.esl
 Patch0:		0001-Fix-grub-path.patch
 Patch1:		0001-Don-t-use-MMX-and-SSE-registers-they-aren-t-initiali.patch
 Patch2:		mokutil-correct-moklistrt-size.patch
-Patch3:		0001-EFI_PXE_BASE_CODE_DHCPV6_PACKET-is-in-gnu-efi-3.0t.patch
+#Patch3:		0001-EFI_PXE_BASE_CODE_DHCPV6_PACKET-is-in-gnu-efi-3.0t.patch

 BuildRequires: gnu-efi git openssl-devel openssl
-BuildRequires: pesign >= 0.104-1
-BuildRequires: gnu-efi >= 3.0t
+BuildRequires: pesign >= 0.106-1
+BuildRequires: gnu-efi = 3.0q

 # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
 # compatible with SysV (there's no red zone under UEFI) and there isn't a
@ -61,6 +61,12 @@ Summary: First-stage UEFI bootloader (unsigned data)
 Initial UEFI bootloader that handles chaining to a trusted full bootloader
 under secure boot environments.

+%package -n mokutil
+Summary: Utilities for managing Secure Boot/MoK keys.
+
+%description -n mokutil
+Utilities for managing the "Machine's Own Keys" list.
+
 %prep
 %setup -q -n shim-%{version}
 %setup -q -a 2 -D -T
@ -72,10 +78,6 @@ git commit -a -q -m "%{version} baseline."
 git am %{patches} </dev/null

 %build
-%define vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
-%define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
-#pesign %{vendor_token_str} %{vendor_cert_str} -C vendor.cer
-
 MAKEFLAGS=""
 if [ -f "%{SOURCE1}" ]; then
 	MAKEFLAGS="VENDOR_CERT_FILE=%{SOURCE1}"
@ -88,13 +90,12 @@ cd ..

 %install
 rm -rf $RPM_BUILD_ROOT
-%pesign -s -i shim.efi -e shim.sig
+pesign -h -i shim.efi -h > shim.hash
 install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/
 install -m 0644 shim.efi $RPM_BUILD_ROOT%{_datadir}/shim/shim.efi
-install -m 0644 shim.sig $RPM_BUILD_ROOT%{_datadir}/shim/shim.sig
-%pesign -s -i fallback.efi -o $RPM_BUILD_ROOT%{_datadir}/shim/fallback.efi
-install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
-%pesign -s -i MokManager.efi -o $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi
+install -m 0644 shim.hash $RPM_BUILD_ROOT%{_datadir}/shim/shim.hash
+install -m 0644 fallback.efi $RPM_BUILD_ROOT%{_datadir}/shim/fallback.efi
+install -m 0644 MokManager.efi $RPM_BUILD_ROOT%{_datadir}/shim/MokManager.efi
 cd mokutil-%{mokutilver}
 make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
 # now install our .debug files...
@ -102,22 +103,23 @@ cd ..
 install -D -d -m 0755 $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/
 install -m 0644 shim.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/shim.efi.debug
 install -m 0644 fallback.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/fallback.efi.debug
-install -D -d -m 0755 $RPM_BUILD_ROOT/usr/lib/debug/boot/efi/EFI/%{efidir}/MokManager.efi.debug
-
-%post
+install -m 0644 MokManager.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/MokManager.efi.debug

 %files -n shim-unsigned
 %doc
 %dir %{_datadir}/shim
-%dir /boot/efi/EFI/%{efidir}
 %{_datadir}/shim/*
-/boot/efi/EFI/%{efidir}/MokManager.efi
+
+%files -n mokutil
 /usr/bin/mokutil
 /usr/share/man/man1/mokutil.1.gz

 %changelog
 * Fri Jun 07 2013 Peter Jones <pjones@redhat.com> - 0.3-2
+- Require gnu-efi-3.0q for now.
 - Don't allow mmx or sse during compilation.
+- Re-organize this so all real signing happens in shim-signed instead.
+- Split out mokutil

 * Wed Dec 12 2012 Peter Jones <pjones@redhat.com> - 0.2-3
 - Fix mokutil's idea of signature sizes.