Commit Graph

65 Commits

Author SHA1 Message Date
Peter Jones
f4bf84f7c5
Minor updates to fix some minor bugs.
- Mark signed shim packages as protected in dnf.
  Resolves: rhbz#1874541
- Conflict with older fwupd, but don't require it.
  Resolves: rhbz#1877751

Signed-off-by: Peter Jones <pjones@redhat.com>
2021-05-05 01:08:46 +02:00
Peter Jones
4f5f869d14
Update to shim 15.4
- Support for revocations via the ".sbat" section and SBAT EFI variable
- A new unit test framework and a bunch of unit tests
- No external gnu-efi dependency
- Better CI
- No more "shim*-fedora.efi", as a second safety to avoid system vendors
  setting up the scenario for CVE-2020-15705
- enable (unsigned) arm v6 building as an aarch64 subpackage.

Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233

Signed-off-by: Peter Jones <pjones@redhat.com>
2021-05-05 01:08:46 +02:00
Peter Jones
a2d56b69e7 Build a -8 because I can't tag -7 into f30 for pretty meh reasons.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-10-02 14:31:43 -04:00
Peter Jones
3506e57522 Revert "More %%dist shenanigans."
It's pointless, because doesn't actually get around the real problem.

This reverts commit aa0e9e6fd1.
2018-10-02 14:19:54 -04:00
Peter Jones
aa0e9e6fd1 More %%dist shenanigans.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-10-02 14:12:05 -04:00
Peter Jones
a069325bd5 Rebuild just because I'm dumb.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-10-02 13:58:10 -04:00
Peter Jones
f1083ad4d6 Put the legacy shim.efi binary in the right subpackage
Resolves: rhbz#1631989

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-10-02 13:52:49 -04:00
Peter Jones
44a06ee897 Fix a typo.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-05-04 15:36:01 -04:00
Peter Jones
3e21f6d5ec Rework the .spec to use efi-rpm-macros.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-05-04 15:28:05 -04:00
Peter Jones
f54022bf7f Make sure all of our macros always expand
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-05-04 15:07:21 -04:00
Peter Jones
a8752f8f14 Rework the .spec to use efi-rpm-macros.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-05-04 14:22:38 -04:00
Peter Jones
595703b86e Fix directory permissions to be 0700 on FAT filesystems
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-05-04 14:05:34 -04:00
Peter Jones
b5087b89ef Fix directory permissions to be 0700 on FAT filesystems
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-05-04 14:04:22 -04:00
Peter Jones
9d062d358d Temporarily revert everything to the last build that worked
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-05-04 14:02:26 -04:00
Peter Jones
e2500aced2 still working on this... 2018-05-04 14:00:25 -04:00
Peter Jones
35825dbe33 dammit 2018-05-03 17:25:10 -04:00
Peter Jones
de58e0d74e try another small change...
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-05-03 16:32:59 -04:00
Peter Jones
11dee2e86f Build with %trace and without the horrible hack, to see wth koji is doing.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-05-03 16:11:46 -04:00
Peter Jones
c0bacf937c Move a lot of boilerplate to macros.shim
There's a bunch of boilerplate to determine filenames and such based on
which arch we're on; there's no reason to read it most of the time.
Move all that to macros.shim.

This makes the actual spec much more reasonable.

Signed-off-by: Peter Jones <pjones@redhat.com>
2018-05-03 15:34:31 -04:00
Peter Jones
240d9ca734 Pick a release value that'll be higher than what's in F28.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-04-30 14:38:59 -04:00
Peter Jones
eb9b0715fc Fix BOOT*.CSV and update release to -1
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-04-30 11:01:07 -04:00
Peter Jones
d369b28d16 Update to shim 15.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-04-24 16:51:19 -04:00
Peter Jones
08e4c727b5 Get the shim-unsigned-aarch64 package version right.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-03-06 14:17:44 -05:00
Peter Jones
25cd900f0e Slightly less nerfing...
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-03-06 14:12:18 -05:00
Peter Jones
fd0314c79d Nerf the hell out of all the checks to make sure I got this process right. sigh.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-03-06 11:09:53 -05:00
Peter Jones
acc5812c8e Back off to the thing we had in 13-0.8 until I get new signatures.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-03-06 10:56:38 -05:00
Peter Jones
99b1d687be Fix an inverted test that crept in in the signing macro. (Woops.)
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-02-28 13:23:35 -05:00
Peter Jones
0abd456d3c Rename the .spec file and fix some paths.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-02-28 12:21:42 -05:00
Peter Jones
60deacd6ea Boil the sea.
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-02-28 11:34:24 -05:00
Petr Šabata
5c4aeae5d0 Updating to 0.9 to enable building with gcc7 2017-05-02 12:36:15 +02:00
Peter Jones
1ecf8fe756 Fix bootloader path and whitelist certificates on ARM Aarch64.
Resolves: rhbz#1170289

Signed-off-by: Peter Jones <pjones@redhat.com>
2014-12-05 09:52:49 -05:00
Peter Jones
b20ba9cc96 Don't use a distro tag here; it just confuses people.
Signed-off-by: Peter Jones <pjones@redhat.com>
2014-10-30 11:05:09 -04:00
Peter Jones
28fad42a38 Update to 0.8
Related: rhbz#1148230
  Related: rhbz#1148231
  Related: rhbz#1148232

Signed-off-by: Peter Jones <pjones@redhat.com>
2014-10-14 10:32:16 -04:00
Peter Jones
f12ea5ef3a Adjust for newer gnu-efi.
Signed-off-by: Peter Jones <pjones@redhat.com>
2014-09-08 16:47:26 -04:00
Peter Jones
70e23bed96 Fix logic to handle SetupMode efi variable. 2013-11-06 14:32:15 -05:00
Peter Jones
7148df39f5 Fix a FreePool(NULL) call on machines too old for SB 2013-10-31 11:34:04 -04:00
Peter Jones
fecdfb1f13 Fix a FreePool(NULL) call on machines too old for SB 2013-10-30 16:45:13 -04:00
Peter Jones
ba65b5563e Update to 0.5
Signed-off-by: Peter Jones <pjones@redhat.com>
2013-10-04 17:20:31 -04:00
Peter Jones
fd458a376b Use a release url github generates automatically.
Signed-off-by: Peter Jones <pjones@redhat.com>
2013-08-07 15:40:25 -04:00
Peter Jones
57f3546846 Update to 0.4 2013-06-11 15:13:49 -04:00
Peter Jones
6abd8c8ccb Fix a variable handling bug in 0.3/0.4
Signed-off-by: Peter Jones <pjones@redhat.com>
2013-06-11 15:02:12 -04:00
Peter Jones
00ae24516c Update to 0.4 2013-06-11 09:08:11 -04:00
Peter Jones
b03890160e Use the right hash command line. 2013-06-07 17:17:26 -04:00
Peter Jones
6e8ffa5826 Require gnu-efi-3.0q for now.
- Don't allow mmx or sse during compilation.
- Re-organize this so all real signing happens in shim-signed instead.
- Split out mokutil
2013-06-07 16:56:37 -04:00
Peter Jones
345b99e1f9 Don't allow mmx or sse during compilation. 2013-06-07 14:27:12 -04:00
Peter Jones
87983bd45d Update for shim-0.3 2013-05-30 08:40:17 -04:00
Peter Jones
b4e78d5f20 Prepare for 0.3
Signed-off-by: Peter Jones <pjones@redhat.com>
2013-05-14 14:48:41 -04:00
Peter Jones
0371db891a Fix mokutil's idea of signature sizes.
Also update the fedora key.
2012-12-12 10:07:34 -05:00
Peter Jones
c7806c9e16 Don't provide /boot/efi/EFI/fedora/shim.efi . shim-signed provides that.
Signed-off-by: Peter Jones <pjones@redhat.com>
2012-12-03 15:35:44 -05:00
Matthew Garrett
fceb7acdba Fix secure_mode() always returning true 2012-11-28 12:18:07 -05:00