From 6e8ffa58260ed5a20df13d928fe7afd30b123c0e Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 7 Jun 2013 16:56:37 -0400 Subject: [PATCH] Require gnu-efi-3.0q for now. - Don't allow mmx or sse during compilation. - Re-organize this so all real signing happens in shim-signed instead. - Split out mokutil --- shim.spec | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/shim.spec b/shim.spec index 420b79e..0df7275 100644 --- a/shim.spec +++ b/shim.spec @@ -25,11 +25,11 @@ Source3: dbx.esl Patch0: 0001-Fix-grub-path.patch Patch1: 0001-Don-t-use-MMX-and-SSE-registers-they-aren-t-initiali.patch Patch2: mokutil-correct-moklistrt-size.patch -Patch3: 0001-EFI_PXE_BASE_CODE_DHCPV6_PACKET-is-in-gnu-efi-3.0t.patch +#Patch3: 0001-EFI_PXE_BASE_CODE_DHCPV6_PACKET-is-in-gnu-efi-3.0t.patch BuildRequires: gnu-efi git openssl-devel openssl -BuildRequires: pesign >= 0.104-1 -BuildRequires: gnu-efi >= 3.0t +BuildRequires: pesign >= 0.106-1 +BuildRequires: gnu-efi = 3.0q # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not # compatible with SysV (there's no red zone under UEFI) and there isn't a @@ -61,6 +61,12 @@ Summary: First-stage UEFI bootloader (unsigned data) Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments. +%package -n mokutil +Summary: Utilities for managing Secure Boot/MoK keys. + +%description -n mokutil +Utilities for managing the "Machine's Own Keys" list. + %prep %setup -q -n shim-%{version} %setup -q -a 2 -D -T @@ -72,10 +78,6 @@ git commit -a -q -m "%{version} baseline." git am %{patches} shim.hash install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/ install -m 0644 shim.efi $RPM_BUILD_ROOT%{_datadir}/shim/shim.efi -install -m 0644 shim.sig $RPM_BUILD_ROOT%{_datadir}/shim/shim.sig -%pesign -s -i fallback.efi -o $RPM_BUILD_ROOT%{_datadir}/shim/fallback.efi -install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/ -%pesign -s -i MokManager.efi -o $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi +install -m 0644 shim.hash $RPM_BUILD_ROOT%{_datadir}/shim/shim.hash +install -m 0644 fallback.efi $RPM_BUILD_ROOT%{_datadir}/shim/fallback.efi +install -m 0644 MokManager.efi $RPM_BUILD_ROOT%{_datadir}/shim/MokManager.efi cd mokutil-%{mokutilver} make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install # now install our .debug files... @@ -102,22 +103,23 @@ cd .. install -D -d -m 0755 $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/ install -m 0644 shim.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/shim.efi.debug install -m 0644 fallback.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/fallback.efi.debug -install -D -d -m 0755 $RPM_BUILD_ROOT/usr/lib/debug/boot/efi/EFI/%{efidir}/MokManager.efi.debug - -%post +install -m 0644 MokManager.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/MokManager.efi.debug %files -n shim-unsigned %doc %dir %{_datadir}/shim -%dir /boot/efi/EFI/%{efidir} %{_datadir}/shim/* -/boot/efi/EFI/%{efidir}/MokManager.efi + +%files -n mokutil /usr/bin/mokutil /usr/share/man/man1/mokutil.1.gz %changelog * Fri Jun 07 2013 Peter Jones - 0.3-2 +- Require gnu-efi-3.0q for now. - Don't allow mmx or sse during compilation. +- Re-organize this so all real signing happens in shim-signed instead. +- Split out mokutil * Wed Dec 12 2012 Peter Jones - 0.2-3 - Fix mokutil's idea of signature sizes.