rpms/shim
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rework the .spec to use efi-rpm-macros.

Browse Source 
Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
Peter Jones 2018-05-04 14:22:38 -04:00
parent 595703b86e
commit a8752f8f14
2 changed files with 224 additions and 183 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

170
shim.rpmmacros Normal file
View File

@ -0,0 +1,170 @@
%global debug_package %{nil}
%global __brp_mangle_shebangs_exclude_from_file %{expand:%{_builddir}/shim-%{efi_arch}-%{version}-%{release}.%{_target_cpu}-shebangs.txt}
%global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
%global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
%global bootcsvaa64 %{expand:%{SOURCE10}}
%global bootcsvia32 %{expand:%{SOURCE11}}
%global bootcsvx64 %{expand:%{SOURCE12}}
#%%global bootcsvarm %%{expand:%%{SOURCE13}}
%global shimefiaa64 %{expand:%{SOURCE20}}
%global shimefiia32 %{expand:%{SOURCE21}}
%global shimefix64 %{expand:%{SOURCE22}}
#%%global shimefiarm %%{expand:%%{SOURCE23}
%global shimveraa64 15-1.fc28
%global shimveria32 15-1.fc28
%global shimverx64 15-1.fc28
#%%global shimverarm 15-1.fc28
%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
%global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32
%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64
#%%global shimdirarm %%{_datadir}/shim/%%{shimverarm}/arm
%global bootcsv %{expand:%{bootcsv%{efi_arch}}}
%global bootcsvalt %{expand:%{bootcsv%{?efi_alt_arch}}}
%global shimefi %{expand:%{shimefi%{efi_arch}}}
%global shimefialt %{expand:%{shimefi%{?efi_alt_arch}}}
%global shimver %{expand:%{shimver%{efi_arch}}}
%global shimveralt %{expand:%{shimver%{?efi_alt_arch}}}
%global shimdir %{expand:%{shimdir%{efi_arch}}}
%global shimdiralt %{expand:%{shimdir%{?efi_alt_arch}}}
%ifarch aarch64
%global unsignedarch aarch64
%else
%global unsignedarch %{efi_arch}
%endif
%global unsignedarchalt %{?efi_alt_arch}%{nil}
%global unsigned shim-unsigned-%{?unsignedarch}%{nil}
%global unsignedalt shim-unsigned-%{?unsignedarchalt}%{nil}
%define define_pkg(a:p:) \
%{expand:%%package -n shim-%{-a*}} \
Summary: First-stage UEFI bootloader \
Requires: mokutil >= 1:0.2.0-1 \
Provides: shim-signed-%{-a*} = %{version}-%{release} \
Requires: dbxtool >= 0.6-3 \
%{expand:%%if 0%%{-p*} \
Provides: shim = %{version}-%{release} \
Provides: shim-signed = %{version}-%{release} \
Obsoletes: shim-signed < %{version}-%{release} \
Obsoletes: shim < %{version}-%{release} \
%%endif} \
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI \
# is not compatible with SysV (there's no red zone under UEFI) and \
# there isn't a POSIX-style C library. \
# BuildRequires: OpenSSL \
Provides: bundled(openssl) = 1.0.2j \
\
%{expand:%%description -n shim-%{-a*}} \
Initial UEFI bootloader that handles chaining to a trusted full \
bootloader under secure boot environments. This package contains the \
version signed by the UEFI signing service. \
%{nil}
# -a <efiarch>
# -i <input>
%define hash(a:i:d:) \
pesign -i %{-i*} -h -P > shim.hash \
read file0 hash0 < shim.hash \
read file1 hash1 < %{-d*}/shim%{-a*}.hash \
if ! [ "$hash0" = "$hash1" ]; then \
echo Invalid signature\! > /dev/stderr \
echo $hash0 vs $hash1 \
exit 1 \
fi \
%{nil}
# -i <input>
# -o <output>
%define sign(i:o:) \
%{expand:%%pesign -s -i %{-i*} -o %{-o*}} \
%{nil}
# -b <binary prefix>
# -a <efiarch>
# -i <input>
%define distrosign(b:a:d:) \
cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi \
%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi}\
%{nil}
# -a <efiarch>
# -A <EFIARCH>
# -b <1|0> # signed by this builder?
# -c <1|0> # signed by UEFI CA?
# -i <shimARCH.efi>
%define define_build(a:A:b:c:i:d:) \
if [ "%{-c*}" = "yes" ]; then \
%{expand:%%hash -i %{-i*} -a %{-a*} -d %{-d*}} \
fi \
cp %{-i*} shim%{-a*}.efi \
if [ "%{-b*}" = "yes" ]; then \
%{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}} \
mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi \
fi \
if [ "%{-c*}" = "no" ]; then \
cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi \
fi \
%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}} \
mv mm%{-a*}-signed.efi mm%{-a*}.efi \
%{expand:%%distrosign -b fb -a %{-a*} -d %{-d*}} \
mv fb%{-a*}-signed.efi fb%{-a*}.efi \
rm -vf \\\
mm%{-a*}-unsigned.efi \\\
fb%{-a*}-unsigned.efi \\\
shim%{-a*}-unsigned.efi \
%{nil}
# -a <efiarch>
# -A <EFIARCH>
# -b <BOOTCSV>
%define do_install(a:A:b:) \
install -m 0700 shim%{-a*}.efi \\\
$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}.efi \
install -m 0700 shim%{-a*}-%{efi_vendor}.efi \\\
$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}-%{efi_vendor}.efi \
install -m 0700 mm%{-a*}.efi \\\
$RPM_BUILD_ROOT%{efi_esp_dir}/mm%{-a*}.efi \
install -m 0700 %{-b*} \\\
$RPM_BUILD_ROOT%{efi_esp_dir}/BOOT%{-A*}.CSV \
install -m 0700 shim%{-a*}.efi \\\
$RPM_BUILD_ROOT%{efi_esp_boot}/BOOT%{-A*}.EFI \
install -m 0700 fb%{-a*}.efi \\\
$RPM_BUILD_ROOT%{efi_esp_boot}/fb%{-a*}.efi \
%nil
# -a <efiarch>
# -A <EFIARCH>
%define define_files(a:A:) \
%{expand:%%files -n shim-%{-a*}} \
%{efi_esp_dir}/*%{-a*}*.efi \
%{efi_esp_dir}/BOOT%{-A*}.CSV \
%{efi_esp_boot}/*%{-a*}.efi \
%{efi_esp_boot}/*%{-A*}.EFI \
%{nil}
%ifarch x86_64
%global is_signed yes
%global is_alt_signed yes
%global provide_legacy_shim 1
%endif
%ifarch aarch64
%global is_signed no
%global is_alt_signed no
%global provide_legacy_shim 1
%endif
%ifnarch x86_64 aarch64
%global is_signed no
%global is_alt_signed no
%global provide_legacy_shim 0
%endif
%if ! 0%{?vendor:1}
%global vendor nopenopenope
%endif
# vim:filetype=rpmmacros

237
shim.spec
View File

@ -1,87 +1,51 @@
%global debug_package %{nil} # this is to make us only expand %%{dist} if we're on a modularity build.
# it's 2 macros make vim's \c not put a brace at the end of the changelog.
%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
# this is literally to make vim's \c not put a brace at the end.
%global _dist %{expand:%{?_module_build:%%{?dist}}} %global _dist %{expand:%{?_module_build:%%{?dist}}}
%global dist %{expand:%%{_dist}} %global dist %{expand:%%{_dist}}
Name: shim Name: shim
Version: 15 Version: 15
Release: 4%{?dist} Release: 4.1%{?dist}
Summary: First-stage UEFI bootloader Summary: First-stage UEFI bootloader
License: BSD License: BSD
URL: http://github.com/rhboot/shim/ URL: https://github.com/rhboot/shim/
Requires: efi-filesystem
# Shim is only required on platforms implementing the UEFI secure boot ExclusiveArch: %{efi}
# protocol. The only one of those we currently wish to support is 64-bit x86. # but we don't build a .i686 package, just a shim-ia32.x86_64 package
# Adding further platforms will require adding appropriate relocation code. ExcludeArch: %{ix86}
ExclusiveArch: x86_64 aarch64 # and we don't have shim-unsigned-arm builds yet
ExcludeArch: %{arm}
Source0: shim.rpmmacros
# keep these two lists of sources synched up arch-wise. That is 0 and 10 # keep these two lists of sources synched up arch-wise. That is 0 and 10
# match, 1 and 11 match, ... # match, 1 and 11 match, ...
Source0: BOOTX64.CSV Source10: BOOTAA64.CSV
Source1: BOOTAA64.CSV Source20: shimaa64.efi
Source2: BOOTIA32.CSV Source11: BOOTIA32.CSV
Source21: shimia32.efi
Source12: BOOTX64.CSV
Source22: shimx64.efi
#Source13: BOOTARM.CSV
#Source23: shimarm.efi
Source10: shimaa64.efi %include %{SOURCE0}
Source11: shimia32.efi
Source12: shimx64.efi
#Source13: shimx64-signed.efi
%global shimverx64 15-1.fc28
%global shimveria32 15-1.fc28
%global shimveraa64 15-1.fc28
%ifarch x86_64
BuildRequires: shim-unsigned-x64 = %{shimverx64}
BuildRequires: shim-unsigned-ia32 = %{shimveria32}
%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64
%global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32
%endif
%ifarch aarch64
BuildRequires: shim-unsigned-aarch64 = %{shimveraa64}
%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
%endif
BuildRequires: pesign >= 0.112-20.fc27 BuildRequires: pesign >= 0.112-20.fc27
BuildRequires: efi-srpm-macros efi-filesystem BuildRequires: %{unsigned} = %{shimver}
%if %{efi_has_alt_arch}
BuildRequires: %{unsignedalt} = %{shimveralt}
%endif
%description %description
Initial UEFI bootloader that handles chaining to a trusted full bootloader Initial UEFI bootloader that handles chaining to a trusted full bootloader
under secure boot environments. This package contains the version signed by under secure boot environments. This package contains the version signed by
the UEFI signing service. the UEFI signing service.
%define define_pkg(a:p:) \ %define_pkg -a %{efi_arch} -p 1
%{expand:%%package -n shim-%{-a*}} \ %if %{efi_has_alt_arch}
Summary: First-stage UEFI bootloader \ %define_pkg -a %{efi_alt_arch}
Requires: mokutil >= 1:0.2.0-1 \
Requires: efi-filesystem \
Provides: shim-signed-%{-a*} = %{version}-%{release} \
Requires: dbxtool >= 0.6-3 \
%{expand:%%if 0%%{-p*} \
Provides: shim = %{version}-%{release} \
Provides: shim-signed = %{version}-%{release} \
Obsoletes: shim-signed < %{version}-%{release} \
Obsoletes: shim < %{version}-%{release} \
%%endif} \
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI \
# is not compatible with SysV (there's no red zone under UEFI) and \
# there isn't a POSIX-style C library. \
# BuildRequires: OpenSSL \
Provides: bundled(openssl) = 1.0.2j \
\
%{expand:%%description -n shim-%{-a*}} \
Initial UEFI bootloader that handles chaining to a trusted full \
bootloader under secure boot environments. This package contains the \
version signed by the UEFI signing service. \
%{nil}
%ifarch x86_64
%define_pkg -a x64 -p 1
%define_pkg -a ia32
%endif
%ifarch aarch64
%define_pkg -a aa64 -p 1
%endif %endif
%prep %prep
@ -90,140 +54,47 @@ rm -rf shim-%{version}
mkdir shim-%{version} mkdir shim-%{version}
%build %build
%define vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
%define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
# -a <efiarch>
# -i <input>
%define hash(a:i:d:) \
pesign -i %{-i*} -h -P > shim.hash \
read file0 hash0 < shim.hash \
read file1 hash1 < %{-d*}/shim%{-a*}.hash \
if ! [ "$hash0" = "$hash1" ]; then \
echo Invalid signature\! > /dev/stderr \
echo $hash0 vs $hash1 \
exit 1 \
fi \
%{nil}
# -i <input>
# -o <output>
%define sign(i:o:) \
%{expand:%%pesign -s -i %{-i*} -o %{-o*}} \
%{nil}
# -b <binary prefix>
# -a <efiarch>
# -i <input>
%define distrosign(b:a:d:) \
cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi \
%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi}\
%{nil}
# -a <efiarch>
# -A <EFIARCH>
# -b <yes|no> # signed by this builder?
# -c <yes|no> # signed by UEFI CA?
# -i <shimARCH.efi>
%define define_build(a:A:b:c:i:d:) \
#if [ "%%{-c*}" = "yes" ]; then \
# %%{expand:%%%%hash -i %%{-i*} -a %%{-a*} -d %%{-d*}} \
#fi \
cp %{-i*} shim%{-a*}.efi \
if [ "%{-b*}" = "yes" ]; then \
%{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}} \
mv shim%{-a*}-signed.efi shim%{-a*}-%{efidir}.efi \
fi \
if [ "%{-c*}" = "no" ]; then \
cp shim%{-a*}-%{efidir}.efi shim%{-a*}.efi \
fi \
%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}} \
mv mm%{-a*}-signed.efi mm%{-a*}.efi \
%{expand:%%distrosign -b fb -a %{-a*} -d %{-d*}} \
mv fb%{-a*}-signed.efi fb%{-a*}.efi \
rm -vf \\\
mm%{-a*}-unsigned.efi \\\
fb%{-a*}-unsigned.efi \\\
shim%{-a*}-unsigned.efi \
%{nil}
cd shim-%{version} cd shim-%{version}
%ifarch aarch64 %if %{efi_has_alt_arch}
%define_build -a aa64 -A AA64 -i %{SOURCE10} -b yes -c no -d %{shimdiraa64} %define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{shimdiralt}
%endif
%ifarch x86_64
%define_build -a ia32 -A IA32 -i %{SOURCE11} -b yes -c yes -d %{shimdiria32}
%define_build -a x64 -A X64 -i %{SOURCE12} -b yes -c yes -d %{shimdirx64}
%endif %endif
%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{shimdir}
%install %install
# -a <efiarch>
# -A <EFIARCH>
# -b <BOOTCSV>
%define do_install(a:A:b:) \
install -m 0700 shim%{-a*}.efi \\\
$RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{-a*}.efi \
install -m 0700 shim%{-a*}-%{efidir}.efi \\\
$RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{-a*}-%{efidir}.efi \
install -m 0700 mm%{-a*}.efi \\\
$RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{-a*}.efi \
install -m 0700 %{-b*} \\\
$RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{-A*}.CSV \
install -m 0700 shim%{-a*}.efi \\\
$RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOT%{-A*}.EFI \
install -m 0700 fb%{-a*}.efi \\\
$RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fb%{-a*}.efi \
%nil
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
cd shim-%{version} cd shim-%{version}
install -D -d -m 0755 $RPM_BUILD_ROOT/boot/ install -D -d -m 0755 $RPM_BUILD_ROOT/boot/
install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/ install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_root}/
install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/ install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_efi}/
install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/ install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_dir}/
install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/ install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_boot}/
%ifarch x86_64 %do_install -a %{efi_arch} -A %{efi_arch_upper} -b %{bootcsv}
%do_install -a x64 -A X64 -b %{SOURCE0} %if %{efi_has_alt_arch}
%do_install -a ia32 -A IA32 -b %{SOURCE2} %do_install -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -b %{bootcsvalt}
install -m 0700 %{SOURCE2} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV
install -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi
install -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fallback.efi
install -m 0700 %{SOURCE12} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
#install -m 0700 %%{SOURCE13} $RPM_BUILD_ROOT/boot/efi/EFI/%%{efidir}/shim.efi
#install -m 0700 %%{SOURCE13} $RPM_BUILD_ROOT/boot/efi/EFI/%%{efidir}/shimx64.efi
#install -m 0700 %%{SOURCE13} $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTX64.EFI
%endif
%ifarch aarch64
%do_install -a aa64 -A AA64 -b %{SOURCE1}
install -m 0700 %{SOURCE10} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
%endif %endif
# -a <efiarch> %if %{provide_legacy_shim}
# -A <EFIARCH> install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
%define define_files(a:A:) \
%{expand:%%files -n shim-%{-a*}} \
/boot/efi/EFI/%{efidir}/*%{-a*}*.efi \
/boot/efi/EFI/%{efidir}/BOOT%{-A*}.CSV \
/boot/efi/EFI/BOOT/*%{-a*}.efi \
/boot/efi/EFI/BOOT/*%{-A*}.EFI \
%{nil}
%ifarch x86_64
%define_files -a x64 -A X64
/boot/efi/EFI/%{efidir}/BOOT.CSV
/boot/efi/EFI/%{efidir}/MokManager.efi
/boot/efi/EFI/%{efidir}/shim.efi
/boot/efi/EFI/BOOT/fallback.efi
%define_files -a ia32 -A IA32
%endif %endif
%ifarch aarch64
%define_files -a aa64 -A AA64 ( cd $RPM_BUILD_ROOT ; find .%{efi_esp_root} -type f ) \
/boot/efi/EFI/%{efidir}/shim.efi | sed -e 's/\./\^/' -e 's,^\\\./,.*/,' -e 's,$,$,' > %{__brp_mangle_shebangs_exclude_from_file}
%define_files -a %{efi_arch} -A %{efi_arch_upper}
%if %{efi_has_alt_arch}
%define_files -a %{efi_alt_arch} -A %{efi_alt_arch_upper}
%endif
%if %{provide_legacy_shim}
%{efi_esp_dir}/shim.efi
%endif %endif
%changelog %changelog
* Fri May 04 2018 Peter Jones <pjones@redhat.com> - 15-4.1
- Rework the .spec to use efi-rpm-macros.
* Fri May 04 2018 Peter Jones <pjones@redhat.com> - 15-4 * Fri May 04 2018 Peter Jones <pjones@redhat.com> - 15-4
- Fix directory permissions to be 0700 on FAT filesystems - Fix directory permissions to be 0700 on FAT filesystems