Migrate to SPDX license

This is part of https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_2
The license analysis is here http://miroslav.suchy.cz/fedora/spdx-reports/shim.html

.gitignore

@@ -1,3 +1,6 @@
-*.tar.*
+shim*.efi
-clog
 *.rpm
+*/
+.build*.log
+*~
+.*.sw?

0002-Don-t-reject-all-binaries-without-a-certificate-data.patch

@@ -1,146 +0,0 @@
-From be73f6bd4f064015c9f12323e2fb2f51b8cdb631 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 22 Oct 2013 13:36:54 -0400
-Subject: [PATCH 2/5] Don't reject all binaries without a certificate database.
-
-If a binary isn't signed, but its hash is enrolled in db, it won't have
-a certificate database.  So in those cases, don't check it against
-certificate databases in db/dbx/etc, but we don't need to reject it
-outright.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- shim.c | 70 +++++++++++++++++++++++++++++++++++-------------------------------
- 1 file changed, 37 insertions(+), 33 deletions(-)
-
-diff --git a/shim.c b/shim.c
-index 58136db..3d1febb 100644
---- a/shim.c
-+++ b/shim.c
-@@ -371,8 +371,8 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
- 				 SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID) ==
- 				DATA_FOUND)
- 		return EFI_ACCESS_DENIED;
--	if (check_db_cert_in_ram(dbx, vendor_dbx_size, cert,
--				 sha256hash) == DATA_FOUND)
-+	if (cert && check_db_cert_in_ram(dbx, vendor_dbx_size, cert,
-+					 sha256hash) == DATA_FOUND)
- 		return EFI_ACCESS_DENIED;
- 
- 	if (check_db_hash(L"dbx", secure_var, sha256hash, SHA256_DIGEST_SIZE,
-@@ -381,7 +381,8 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
- 	if (check_db_hash(L"dbx", secure_var, sha1hash, SHA1_DIGEST_SIZE,
- 			  EFI_CERT_SHA1_GUID) == DATA_FOUND)
- 		return EFI_ACCESS_DENIED;
--	if (check_db_cert(L"dbx", secure_var, cert, sha256hash) == DATA_FOUND)
-+	if (cert && check_db_cert(L"dbx", secure_var, cert, sha256hash) ==
-+				DATA_FOUND)
- 		return EFI_ACCESS_DENIED;
- 
- 	return EFI_SUCCESS;
-@@ -414,7 +415,8 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert,
- 			update_verification_method(VERIFIED_BY_HASH);
- 			return EFI_SUCCESS;
- 		}
--		if (check_db_cert(L"db", secure_var, cert, sha256hash) == DATA_FOUND) {
-+		if (cert && check_db_cert(L"db", secure_var, cert, sha256hash)
-+					== DATA_FOUND) {
- 			verification_method = VERIFIED_BY_CERT;
- 			update_verification_method(VERIFIED_BY_CERT);
- 			return EFI_SUCCESS;
-@@ -427,7 +429,8 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert,
- 		update_verification_method(VERIFIED_BY_HASH);
- 		return EFI_SUCCESS;
- 	}
--	if (check_db_cert(L"MokList", shim_var, cert, sha256hash) == DATA_FOUND) {
-+	if (cert && check_db_cert(L"MokList", shim_var, cert, sha256hash) ==
-+				DATA_FOUND) {
- 		verification_method = VERIFIED_BY_CERT;
- 		update_verification_method(VERIFIED_BY_CERT);
- 		return EFI_SUCCESS;
-@@ -712,25 +715,24 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
- 	UINT8 sha256hash[SHA256_DIGEST_SIZE];
- 	UINT8 sha1hash[SHA1_DIGEST_SIZE];
- 	EFI_STATUS status = EFI_ACCESS_DENIED;
--	WIN_CERTIFICATE_EFI_PKCS *cert;
-+	WIN_CERTIFICATE_EFI_PKCS *cert = NULL;
- 	unsigned int size = datasize;
- 
--	if (context->SecDir->Size == 0) {
--		Print(L"Empty security header\n");
--		return EFI_INVALID_PARAMETER;
--	}
--
--	cert = ImageAddress (data, size, context->SecDir->VirtualAddress);
-+	if (context->SecDir->Size != 0) {
-+		cert = ImageAddress (data, size,
-+				     context->SecDir->VirtualAddress);
- 
--	if (!cert) {
--		Print(L"Certificate located outside the image\n");
--		return EFI_INVALID_PARAMETER;
--	}
-+		if (!cert) {
-+			Print(L"Certificate located outside the image\n");
-+			return EFI_INVALID_PARAMETER;
-+		}
- 
--	if (cert->Hdr.wCertificateType != WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
--		Print(L"Unsupported certificate type %x\n",
--		      cert->Hdr.wCertificateType);
--		return EFI_UNSUPPORTED;
-+		if (cert->Hdr.wCertificateType !=
-+		    WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
-+			Print(L"Unsupported certificate type %x\n",
-+				cert->Hdr.wCertificateType);
-+			return EFI_UNSUPPORTED;
-+		}
- 	}
- 
- 	status = generate_hash(data, datasize, context, sha256hash, sha1hash);
-@@ -761,27 +763,29 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
- 	if (status == EFI_SUCCESS)
- 		return status;
- 
--	/*
--	 * Check against the shim build key
--	 */
--	if (AuthenticodeVerify(cert->CertData,
-+	if (cert) {
-+		/*
-+		 * Check against the shim build key
-+		 */
-+		if (AuthenticodeVerify(cert->CertData,
- 			       context->SecDir->Size - sizeof(cert->Hdr),
- 			       shim_cert, sizeof(shim_cert), sha256hash,
- 			       SHA256_DIGEST_SIZE)) {
--		status = EFI_SUCCESS;
--		return status;
--	}
-+			status = EFI_SUCCESS;
-+			return status;
-+		}
- 
- 
--	/*
--	 * And finally, check against shim's built-in key
--	 */
--	if (AuthenticodeVerify(cert->CertData,
-+		/*
-+		 * And finally, check against shim's built-in key
-+		 */
-+		if (AuthenticodeVerify(cert->CertData,
- 			       context->SecDir->Size - sizeof(cert->Hdr),
- 			       vendor_cert, vendor_cert_size, sha256hash,
- 			       SHA256_DIGEST_SIZE)) {
--		status = EFI_SUCCESS;
--		return status;
-+			status = EFI_SUCCESS;
-+			return status;
-+		}
- 	}
- 
- 	status = EFI_ACCESS_DENIED;
--- 
-1.8.3.1
-

0004-We-should-be-checking-both-mok-and-the-system-s-SB-s.patch

@@ -1,30 +0,0 @@
-From 83b3a7cf6d4d4e91579864cfc75dadf2b7304da9 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Mon, 28 Oct 2013 10:41:03 -0400
-Subject: [PATCH 4/5] We should be checking both mok and the system's SB
- settings
-
-When we call hook_system_services(), we're currently only checking mok's
-setting.  We should use secure_mode() instead so it'll check both.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- shim.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/shim.c b/shim.c
-index 537177d..9d0d884 100644
---- a/shim.c
-+++ b/shim.c
-@@ -1718,7 +1718,7 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
- 	/*
- 	 * Tell the user that we're in insecure mode if necessary
- 	 */
--	if (insecure_mode) {
-+	if (!secure_mode()) {
- 		Print(L"Booting in insecure mode\n");
- 		uefi_call_wrapper(BS->Stall, 1, 2000000);
- 	} else {
--- 
-1.8.3.1
-

0005-Don-t-free-GetVariable-return-data-without-checking-.patch

@@ -1,54 +0,0 @@
-From 556c445ea19fc257fe35ac1a67477e7352ba3fcd Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Wed, 30 Oct 2013 16:36:01 -0400
-Subject: [PATCH 5/5] Don't free GetVariable() return data without checking the
- status code.
-
-This breaks every machine from before Secure Boot was a thing.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- shim.c | 15 ++++++++++++---
- 1 file changed, 12 insertions(+), 3 deletions(-)
-
-diff --git a/shim.c b/shim.c
-index 9d0d884..0081342 100644
---- a/shim.c
-+++ b/shim.c
-@@ -456,21 +456,30 @@ static BOOLEAN secure_mode (void)
- 		return FALSE;
- 
- 	status = get_variable(L"SecureBoot", &Data, &len, global_var);
-+	if (status != EFI_SUCCESS) {
-+		if (verbose)
-+			console_notify(L"Secure boot not enabled\n");
-+		return FALSE;
-+	}
- 	sb = *Data;
- 	FreePool(Data);
- 
--	/* FIXME - more paranoia here? */
--	if (status != EFI_SUCCESS || sb != 1) {
-+	if (sb != 1) {
- 		if (verbose)
- 			console_notify(L"Secure boot not enabled\n");
- 		return FALSE;
- 	}
- 
- 	status = get_variable(L"SetupMode", &Data, &len, global_var);
-+	if (status == EFI_SUCCESS) {
-+		if (verbose)
-+			console_notify(L"Platform is in setup mode\n");
-+		return FALSE;
-+	}
- 	setupmode = *Data;
- 	FreePool(Data);
- 
--	if (status == EFI_SUCCESS && setupmode == 1) {
-+	if (setupmode == 1) {
- 		if (verbose)
- 			console_notify(L"Platform is in setup mode\n");
- 		return FALSE;
--- 
-1.8.3.1
-

shim-image-size.patch

@@ -1,63 +0,0 @@
-From d3a9d4e8404e0f402fb371066f0e405ed3cecc29 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg@redhat.com>
-Date: Tue, 14 Aug 2012 06:50:00 -0400
-Subject: [PATCH] Use the file size, not the image size field, for
- verification.
-
----
- shim.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/shim.c b/shim.c
-index 2d9044d..6a3c054 100644
---- a/shim.c
-+++ b/shim.c
-@@ -555,7 +555,7 @@ done:
- /*
-  * Read the binary header and grab appropriate information from it
-  */
--static EFI_STATUS read_header(void *data,
-+static EFI_STATUS read_header(void *data, unsigned int datasize,
- 			      PE_COFF_LOADER_IMAGE_CONTEXT *context)
- {
- 	EFI_IMAGE_DOS_HEADER *DosHdr = data;
-@@ -590,7 +590,7 @@ static EFI_STATUS read_header(void *data,
- 	context->FirstSection = (EFI_IMAGE_SECTION_HEADER *)((char *)PEHdr + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER));
- 	context->SecDir = (EFI_IMAGE_DATA_DIRECTORY *) &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY];
- 
--	if (context->SecDir->VirtualAddress >= context->ImageSize) {
-+	if (context->SecDir->VirtualAddress >= datasize) {
- 		Print(L"Malformed security header\n");
- 		return EFI_INVALID_PARAMETER;
- 	}
-@@ -606,7 +606,8 @@ static EFI_STATUS read_header(void *data,
- /*
-  * Once the image has been loaded it needs to be validated and relocated
-  */
--static EFI_STATUS handle_grub (void *data, int datasize, EFI_LOADED_IMAGE *li)
-+static EFI_STATUS handle_grub (void *data, unsigned int datasize,
-+			       EFI_LOADED_IMAGE *li)
- {
- 	EFI_STATUS efi_status;
- 	char *buffer;
-@@ -615,7 +616,7 @@ static EFI_STATUS handle_grub (void *data, int datasize, EFI_LOADED_IMAGE *li)
- 	char *base, *end;
- 	PE_COFF_LOADER_IMAGE_CONTEXT context;
- 
--	efi_status = read_header(data, &context);
-+	efi_status = read_header(data, datasize, &context);
- 	if (efi_status != EFI_SUCCESS) {
- 		Print(L"Failed to read header\n");
- 		return efi_status;
-@@ -843,7 +844,7 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
- 	if (!secure_mode())
- 		return EFI_SUCCESS;
- 
--	status = read_header(buffer, &context);
-+	status = read_header(buffer, size, &context);
- 
- 	if (status != EFI_SUCCESS)
- 		return status;
--- 
-1.7.11.2
-

shim-vendor-cert-file.patch

@@ -1,129 +0,0 @@
-From be817236507a104ec9b0e8be57daab0e2bab40ce Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Mon, 13 Aug 2012 17:06:46 -0400
-Subject: [PATCH] Allow specification of vendor_cert through a build command
- line option.
-
-This allows you to specify the vendor_cert as a file on the command line
-during build.
----
- Makefile | 16 +++++++++++-----
- cert.S   | 32 ++++++++++++++++++++++++++++++++
- cert.h   |  1 -
- shim.c   |  6 +++---
- 4 files changed, 46 insertions(+), 9 deletions(-)
- create mode 100644 cert.S
- delete mode 100644 cert.h
-
-diff --git a/Makefile b/Makefile
-index 1e3a020..66b105f 100644
---- a/Makefile
-+++ b/Makefile
-@@ -14,24 +14,30 @@ EFI_LIBS	= -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/
- EFI_CRT_OBJS 	= $(EFI_PATH)/crt0-efi-$(ARCH).o
- EFI_LDS		= $(EFI_PATH)/elf_$(ARCH)_efi.lds
- 
--
- CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
- 		  -Wall -mno-red-zone \
- 		  $(EFI_INCLUDES)
- ifeq ($(ARCH),x86_64)
- 	CFLAGS	+= -DEFI_FUNCTION_WRAPPER
- endif
-+ifneq ($(origin VENDOR_CERT_FILE), undefined)
-+	CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
-+endif
-+
- LDFLAGS		= -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS)
- 
--TARGET		= shim.efi
--OBJS		= shim.o shim.so
--SOURCES		= shim.c shim.h signature.h PeImage.h cert.h
-+TARGET	= shim.efi
-+OBJS	= shim.o cert.o
-+SOURCES	= shim.c shim.h signature.h PeImage.h
- 
- all: $(TARGET)
- 
- shim.o: $(SOURCES)
- 
--shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a
-+cert.o : cert.S
-+	$(CC) $(CFLAGS) -c -o $@ $<
-+
-+shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a cert.o
- 	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
- 
- Cryptlib/libcryptlib.a:
-diff --git a/cert.S b/cert.S
-new file mode 100644
-index 0000000..129bab5
---- /dev/null
-+++ b/cert.S
-@@ -0,0 +1,32 @@
-+#if defined(VENDOR_CERT_FILE)
-+	.globl	vendor_cert
-+	.data
-+	.align	16
-+	.type	vendor_cert, @object
-+	.size	vendor_cert_size, vendor_cert_size-vendor_cert
-+vendor_cert:
-+.incbin VENDOR_CERT_FILE
-+
-+	.globl	vendor_cert_size
-+	.data
-+	.align	16
-+	.type	vendor_cert_size, @object
-+	.size	vendor_cert_size, 4
-+vendor_cert_size:
-+	.long	vendor_cert_size - vendor_cert
-+#else
-+	.globl	vendor_cert
-+	.bss
-+	.type	vendor_cert, @object
-+	.size	vendor_cert, 1
-+vendor_cert:
-+	.zero	1
-+
-+	.globl	vendor_cert_size
-+	.data
-+	.align 4
-+	.type	vendor_cert_size, @object
-+	.size	vendor_cert_size, 4
-+vendor_cert_size:
-+	.long	1
-+#endif
-diff --git a/cert.h b/cert.h
-deleted file mode 100644
-index 380bc04..0000000
---- a/cert.h
-+++ /dev/null
-@@ -1 +0,0 @@
--static UINT8 vendor_cert[] = {0x00};
-diff --git a/shim.c b/shim.c
-index fc3dafc..2d9044d 100644
---- a/shim.c
-+++ b/shim.c
-@@ -48,8 +48,8 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB
- /*
-  * The vendor certificate used for validating the second stage loader
-  */
--
--#include "cert.h"
-+extern UINT8 vendor_cert[];
-+extern UINT32 vendor_cert_size;
- 
- #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
- 
-@@ -535,7 +535,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
- 
- 	if (!AuthenticodeVerify(cert->CertData,
- 				context->SecDir->Size - sizeof(cert->Hdr),
--				vendor_cert, sizeof(vendor_cert), hash,
-+				vendor_cert, vendor_cert_size, hash,
- 				SHA256_DIGEST_SIZE)) {
- 		Print(L"Invalid signature\n");
- 		status = EFI_ACCESS_DENIED;
--- 
-1.7.11.2
-

shim.conf

@@ -0,0 +1,4 @@
+shim-aa64
+shim-arm
+shim-ia32
+shim-x64

shim.rpmmacros

@@ -0,0 +1,174 @@
+%global debug_package %{nil}
+%global __brp_mangle_shebangs_exclude_from_file %{expand:%{_builddir}/shim-%{efi_arch}-%{version}-%{release}.%{_target_cpu}-shebangs.txt}
+%global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
+%global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
+
+%global grub_version 2.06~rc1
+%global fwupd_version 1.5.8
+
+%global bootcsvaa64 %{expand:%{SOURCE10}}
+%global bootcsvarm %{expand:%{SOURCE13}}
+%global bootcsvia32 %{expand:%{SOURCE11}}
+%global bootcsvx64 %{expand:%{SOURCE12}}
+
+%global shimefiaa64 %{expand:%{SOURCE20}}
+%global shimefiarm %{expand:%{SOURCE23}}
+%global shimefiia32 %{expand:%{SOURCE21}}
+%global shimefix64 %{expand:%{SOURCE22}}
+
+%global shimveraa64 15.6-2
+%global shimverarm 15.4-1.fc34
+%global shimveria32 15.6-1
+%global shimverx64 15.6-1
+
+%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
+%global shimdirarm %{_datadir}/shim/%{shimverarm}/arm
+%global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32
+%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64
+
+%global unsignedaa64 shim-unsigned-aarch64
+%global unsignedarm shim-unsigned-arm
+%global unsignedia32 shim-unsigned-ia32
+%global unsignedx64 shim-unsigned-x64
+
+%global bootcsv %{expand:%{bootcsv%{efi_arch}}}
+%global bootcsvalt %{expand:%{bootcsv%{?efi_alt_arch}}}
+%global shimefi %{expand:%{shimefi%{efi_arch}}}
+%global shimefialt %{expand:%{shimefi%{?efi_alt_arch}}}
+%global shimver %{expand:%{shimver%{efi_arch}}}
+%global shimveralt %{expand:%{shimver%{?efi_alt_arch}}}
+%global shimdir %{expand:%{shimdir%{efi_arch}}}
+%global shimdiralt %{expand:%{shimdir%{?efi_alt_arch}}}
+
+%global unsignednone shim-unsigned-none
+%global unsigned %{expand:%%{unsigned%{efi_arch}}}
+%global unsignedalt %{expand:%%{unsigned%{efi_alt_arch}}}
+
+%define define_pkg(a:p:)						\
+%{expand:%%package -n shim-%{-a*}}					\
+Summary: First-stage UEFI bootloader					\
+Requires: mokutil >= 1:0.3.0-15						\
+Requires: efi-filesystem						\
+Provides: shim-signed-%{-a*} = %{version}-%{release}			\
+Conflicts: fwupd < %{fwupd_version}					\
+Requires: grub2-efi-%{-a*} >= %{grub_version}				\
+Conflicts: grub2-efi-%{-a*} < %{grub_version}				\
+%{expand:%%if 0%%{-p*}							\
+Provides: shim = %{version}-%{release}					\
+Provides: shim-signed = %{version}-%{release}				\
+Obsoletes: shim-signed < %{version}-%{release}				\
+Obsoletes: shim < %{version}-%{release}					\
+%%endif}								\
+# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI	\
+# is not compatible with SysV (there's no red zone under UEFI) and	\
+# there isn't a POSIX-style C library.					\
+# BuildRequires: OpenSSL						\
+Provides: bundled(openssl) = 1.0.2j					\
+									\
+%{expand:%%description -n shim-%{-a*}}					\
+Initial UEFI bootloader that handles chaining to a trusted full		\
+bootloader under secure boot environments. This package contains the	\
+version signed by the UEFI signing service.				\
+%{nil}
+
+# -a <efiarch>
+# -i <input>
+%define hash(a:i:d:)							\
+	pesign -i %{-i*} -h -P > shim.hash				\
+	read file0 hash0 < shim.hash					\
+	read file1 hash1 < %{-d*}/shim%{-a*}.hash			\
+	if ! [ "$hash0" = "$hash1" ]; then				\
+		echo Invalid signature\! > /dev/stderr			\
+		echo $hash0 vs $hash1					\
+		exit 1							\
+	fi								\
+	%{nil}
+
+# -i <input>
+# -o <output>
+%define sign(i:o:)							\
+	%{expand:%%pesign -s -i %{-i*} -o %{-o*}}			\
+	%{nil}
+
+# -b <binary prefix>
+# -a <efiarch>
+# -i <input>
+%define distrosign(b:a:d:)						\
+	cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi	\
+	%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi}\
+	%{nil}
+
+# -a <efiarch>
+# -A <EFIARCH>
+# -b <1|0> # signed by this builder?
+# -c <1|0> # signed by UEFI CA?
+# -i <shimARCH.efi>
+%define define_build(a:A:b:c:i:d:)					\
+if [ "%{-c*}" = "yes" ]; then						\
+	%{expand:%%hash -i %{-i*} -a %{-a*} -d %{-d*}}			\
+fi									\
+cp %{-i*} shim%{-a*}.efi						\
+if [ "%{-b*}" = "yes" ]; then						\
+	%{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}}		\
+	mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi		\
+fi									\
+if [ "%{-c*}" = "no" ] && [ "%{-b*}" = "yes" ]; then			\
+	cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi			\
+fi									\
+%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}}			\
+mv mm%{-a*}-signed.efi mm%{-a*}.efi					\
+%{expand:%%distrosign -b fb -a %{-a*} -d %{-d*}}			\
+mv fb%{-a*}-signed.efi fb%{-a*}.efi					\
+rm -vf									\\\
+	mm%{-a*}-unsigned.efi						\\\
+	fb%{-a*}-unsigned.efi						\\\
+	shim%{-a*}-unsigned.efi						\
+%{nil}
+
+# -a <efiarch>
+# -A <EFIARCH>
+# -b <BOOTCSV>
+%define do_install(a:A:b:)						\
+install -m 0700 shim%{-a*}.efi						\\\
+	$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}.efi			\
+install -m 0700 mm%{-a*}.efi						\\\
+	$RPM_BUILD_ROOT%{efi_esp_dir}/mm%{-a*}.efi			\
+install -m 0700 %{-b*}							\\\
+	$RPM_BUILD_ROOT%{efi_esp_dir}/BOOT%{-A*}.CSV			\
+install -m 0700 shim%{-a*}.efi						\\\
+	$RPM_BUILD_ROOT%{efi_esp_boot}/BOOT%{-A*}.EFI			\
+install -m 0700 fb%{-a*}.efi						\\\
+	$RPM_BUILD_ROOT%{efi_esp_boot}/fb%{-a*}.efi			\
+%nil
+
+# -a <efiarch>
+# -A <EFIARCH>
+%define define_files(a:A:)						\
+%{expand:%%files -n shim-%{-a*}}					\
+%{efi_esp_dir}/*%{-a*}*.efi						\
+%{efi_esp_dir}/BOOT%{-A*}.CSV						\
+%{efi_esp_boot}/*%{-a*}.efi						\
+%{efi_esp_boot}/*%{-A*}.EFI						\
+%{nil}
+
+%ifarch x86_64
+%global is_signed yes
+%global is_alt_signed no
+%global provide_legacy_shim 1
+%endif
+%ifarch aarch64
+%global is_signed no
+%global is_alt_signed no
+%global provide_legacy_shim 1
+%endif
+%ifnarch x86_64 aarch64
+%global is_signed no
+%global is_alt_signed no
+%global provide_legacy_shim 0
+%endif
+
+%if ! 0%{?vendor:1}
+%global vendor nopenopenope
+%endif
+
+# vim:filetype=rpmmacros

shim.spec

@@ -1,138 +1,304 @@
-Name:           shim
+# this is to make us only expand %%{dist} if we're on a modularity build.
-Version:        0.8
+# it's 2 macros make vim's \c not put a brace at the end of the changelog.
-Release:        1%{?dist}
+%global _dist %{expand:%{?_module_build:%%{?dist}}}
-Summary:        First-stage UEFI bootloader
+%global dist %{expand:%%{_dist}}
 
-License:        BSD
+Name:		shim
-URL:            http://www.codon.org.uk/~mjg59/shim/
+Version:	15.6
-Source0:        https://github.com/mjg59/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2
+Release:	2%{?dist}
-Source1:	fedora-ca.cer
+Summary:	First-stage UEFI bootloader
+License:	BSD-3-Clause
+URL:		https://github.com/rhboot/shim/
+BuildRequires:	efi-filesystem
+BuildRequires:	efi-srpm-macros >= 5-1
 
-# currently here's what's in our dbx:
+ExclusiveArch:	%{efi}
-# grub2-efi-2.00-11.fc18.x86_64:
+# but we don't build a .i686 package, just a shim-ia32.x86_64 package
-# grubx64.efi 6ac839881e73504047c06a1aac0c4763408ecb3642783c8acf77a2d393ea5cd7
+ExcludeArch:	%{ix86}
-# gcdx64.efi 065cd63bab696ad2f4732af9634d66f2c0d48f8a3134b8808750d378550be151
+# but we don't build a .arm package, just a shim-arm.aarch64 package
-# grub2-efi-2.00-11.fc19.x86_64:
+ExcludeArch:	%{arm}
-# grubx64.efi 49ece9a10a9403b32c8e0c892fd9afe24a974323c96f2cc3dd63608754bf9b45
-# gcdx64.efi 99fcaa957786c155a92b40be9c981c4e4685b8c62b408cb0f6cb2df9c30b9978
-# woops.
-Source2:	dbx.esl
 
-BuildRequires: git openssl-devel openssl
+Source0:	shim.rpmmacros
-BuildRequires: pesign >= 0.106-1
+Source1:	shim.conf
-BuildRequires: gnu-efi = 3.0w
-BuildRequires: gnu-efi-devel = 3.0w
 
-# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
+# keep these two lists of sources synched up arch-wise.  That is 0 and 10
-# compatible with SysV (there's no red zone under UEFI) and there isn't a
+# match, 1 and 11 match, ...
-# POSIX-style C library.
+Source10:	BOOTAA64.CSV
-# BuildRequires: OpenSSL
+Source20:	shimaa64.efi
-Provides: bundled(openssl) = 0.9.8zb
+Source11:	BOOTIA32.CSV
+Source21:	shimia32.efi
+Source12:	BOOTX64.CSV
+Source22:	shimx64.efi
+#Source13:	BOOTARM.CSV
+#Source23:	shimarm.efi
 
-# Shim is only required on platforms implementing the UEFI secure boot
+%include %{SOURCE0}
-# protocol. The only one of those we currently wish to support is 64-bit x86.
-# Adding further platforms will require adding appropriate relocation code.
-ExclusiveArch: x86_64 aarch64
 
-# Figure out the right file path to use
+BuildRequires:	pesign >= 0.112-20.fc27
-%if 0%{?rhel}
+# We need this because %%{efi} won't expand before choosing where to make
-%global efidir redhat
+# the src.rpm in koji, and we could be on a non-efi architecture, in which
+# case we won't have a valid expansion here...  To be solved in the future
+# (shim 16+) by making the unsigned packages all provide "shim-unsigned", so
+# we can just BuildRequires that.
+%ifarch x86_64
+BuildRequires: %{unsignedx64} = %{shimverx64}
+BuildRequires: %{unsignedia32} = %{shimveria32}
 %endif
-%if 0%{?fedora}
+%ifarch aarch64
-%global efidir fedora
+BuildRequires: %{unsignedaa64} = %{shimveraa64}
+#BuildRequires: %% {unsignedarm} = %% {shimverarm}
 %endif
 
 %description
 Initial UEFI bootloader that handles chaining to a trusted full bootloader
-under secure boot environments.
+under secure boot environments. This package contains the version signed by
+the UEFI signing service.
 
-%package -n shim-unsigned
+%define_pkg -a %{efi_arch} -p 1
-Summary: First-stage UEFI bootloader (unsigned data)
+%if %{efi_has_alt_arch}
-
+%define_pkg -a %{efi_alt_arch}
-%description -n shim-unsigned
+%endif
-Initial UEFI bootloader that handles chaining to a trusted full bootloader
-under secure boot environments.
 
 %prep
-%setup -q
+cd %{_builddir}
-git init
+rm -rf shim-%{version}
-git config user.email "%{name}-owner@fedoraproject.org"
+mkdir shim-%{version}
-git config user.name "Fedora Ninjas"
-git add .
-git commit -a -q -m "%{version} baseline."
-git am %{patches} </dev/null
-
 
 %build
-MAKEFLAGS=""
+
-if [ -f "%{SOURCE1}" ]; then
+cd shim-%{version}
-	MAKEFLAGS="VENDOR_CERT_FILE=%{SOURCE1} VENDOR_DBX_FILE=%{SOURCE2}"
+%if %{efi_has_alt_arch}
-fi
+%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b no -c %{is_alt_signed} -d %{shimdiralt}
-make 'DEFAULT_LOADER=\\\\grubx64.efi' ${MAKEFLAGS} shim.efi MokManager.efi fallback.efi
+%endif
+%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b no -c %{is_signed} -d %{shimdir}
 
 %install
 rm -rf $RPM_BUILD_ROOT
-pesign -h -P -i shim.efi -h > shim.hash
+cd shim-%{version}
-install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/
+install -D -d -m 0755 $RPM_BUILD_ROOT/boot/
-install -m 0644 shim.efi $RPM_BUILD_ROOT%{_datadir}/shim/shim.efi
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_root}/
-install -m 0644 shim.hash $RPM_BUILD_ROOT%{_datadir}/shim/shim.hash
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_efi}/
-install -m 0644 fallback.efi $RPM_BUILD_ROOT%{_datadir}/shim/fallback.efi
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_dir}/
-install -m 0644 MokManager.efi $RPM_BUILD_ROOT%{_datadir}/shim/MokManager.efi
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_boot}/
-# now install our .debug files...
-install -D -d -m 0755 $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/
-install -m 0644 shim.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/shim.efi.debug
-install -m 0644 fallback.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/fallback.efi.debug
-install -m 0644 MokManager.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/MokManager.efi.debug
 
-%files -n shim-unsigned
+%do_install -a %{efi_arch} -A %{efi_arch_upper} -b %{bootcsv}
-%doc
+%if %{efi_has_alt_arch}
-%dir %{_datadir}/shim
+%do_install -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -b %{bootcsvalt}
-%{_datadir}/shim/*
+%endif
+
+%if %{provide_legacy_shim}
+install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
+%endif
+install -D -d -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/
+install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/
+
+( cd $RPM_BUILD_ROOT ; find .%{efi_esp_root} -type f ) \
+  | sed -e 's/\./\^/' -e 's,^\\\./,.*/,' -e 's,$,$,' > %{__brp_mangle_shebangs_exclude_from_file}
+
+%define_files -a %{efi_arch} -A %{efi_arch_upper}
+%if %{provide_legacy_shim}
+%{efi_esp_dir}/shim.efi
+%endif
+%{_sysconfdir}/dnf/protected.d/shim.conf
+
+%if %{efi_has_alt_arch}
+%define_files -a %{efi_alt_arch} -A %{efi_alt_arch_upper}
+%{_sysconfdir}/dnf/protected.d/shim.conf
+%endif
 
 %changelog
-* Tue Oct 14 2014 Peter Jones <pjones@redhat.com> - 0.8-1
+* Thu Jul 07 2022 Robbie Harwood <rharwood@redhat.com> - 15.6-2
-- Update to 0.8
+- Update aarch64 (only) with relocation fixes
-  Related: rhbz#1148230
+- Resolves: #2101248
-  Related: rhbz#1148231
-  Related: rhbz#1148232
 
-* Wed Nov 06 2013 Peter Jones <pjones@redhat.com> - 0.7-1
+* Wed Jun 15 2022 Peter Jones <pjones@redhat.com> - 15.6-1
-- Fix logic to handle SetupMode efi variable.
+- Update to shim-15.6
+  Resolves: CVE-2022-28737
 
-* Thu Oct 31 2013 Peter Jones <pjones@redhat.com> - 0.6-1
+* Wed May 05 2021 Javier Martinez Canillas <javierm@redhat.com> - 15.4-5
-- Fix a FreePool(NULL) call on machines too old for SB
+- Bump release to build for F35
 
-* Fri Oct 04 2013 Peter Jones <pjones@redhat.com> - 0.5-1
+* Wed Apr 21 2021 Javier Martinez Canillas <javierm@redhat.com> - 15.4-4
-- Update to 0.5
+- Fix handling of ignore_db and user_insecure_mode (pjones)
+- Fix booting on pre-UEFI Macs (pjones)
+- Fix mok variable storage allocation region (glin)
+  Resolves: rhbz#1948432
+- Fix the package version in the .sbat data (pjones)
 
-* Tue Jun 11 2013 Peter Jones <pjones@redhat.com> - 0.4-1
+* Tue Apr 06 2021 Peter Jones <pjones@redhat.com> - 15.4-3
-- Update to 0.4
+- Mark signed shim packages as protected in dnf.
+  Resolves: rhbz#1874541
+- Conflict with older fwupd, but don't require it.
+  Resolves: rhbz#1877751
 
-* Fri Jun 07 2013 Peter Jones <pjones@redhat.com> - 0.3-2
+* Tue Apr 06 2021 Peter Jones <pjones@redhat.com> - 15.4-2
-- Require gnu-efi-3.0q for now.
+- Update to shim 15.4
-- Don't allow mmx or sse during compilation.
+  - Support for revocations via the ".sbat" section and SBAT EFI variable
-- Re-organize this so all real signing happens in shim-signed instead.
+  - A new unit test framework and a bunch of unit tests
-- Split out mokutil
+  - No external gnu-efi dependency
+  - Better CI
+  Resolves: CVE-2020-14372
+  Resolves: CVE-2020-25632
+  Resolves: CVE-2020-25647
+  Resolves: CVE-2020-27749
+  Resolves: CVE-2020-27779
+  Resolves: CVE-2021-20225
+  Resolves: CVE-2021-20233
 
-* Wed Dec 12 2012 Peter Jones <pjones@redhat.com> - 0.2-3
+* Tue Oct 02 2018 Peter Jones <pjones@redhat.com> - 15-8
-- Fix mokutil's idea of signature sizes.
+- Build a -8 because I can't tag -7 into f30 for pretty meh reasons.
 
-* Wed Nov 28 2012 Matthew Garrett <mjg59@srcf.ucam.org> - 0.2-2
+* Tue Oct 02 2018 Peter Jones <pjones@redhat.com> - 15-7
-- Fix secure_mode() always returning true
+- Rebuild just because I'm dumb.
 
-* Mon Nov 26 2012 Matthew Garrett <mjg59@srcf.ucam.org> - 0.2-1
+* Tue Oct 02 2018 Peter Jones <pjones@redhat.com> - 15-6
-- Update shim
+- Put the legacy shim.efi binary in the right subpackage
-- Include mokutil
+  Resolves: rhbz#1631989
-- Add debuginfo package since mokutil is a userspace executable
 
-* Mon Oct 22 2012 Peter Jones <pjones@redhat.com> - 0.1-4
+* Fri May 04 2018 Peter Jones <pjones@redhat.com> - 15-5
-- Produce an unsigned shim
+- Rework the .spec to use efi-rpm-macros.
 
-* Tue Aug 14 2012 Peter Jones <pjones@redhat.com> - 0.1-3
+* Fri May 04 2018 Peter Jones <pjones@redhat.com> - 15-4
-- Update how embedded cert and signing work.
+- Fix directory permissions to be 0700 on FAT filesystems
 
-* Mon Aug 13 2012 Josh Boyer <jwboyer@redhat.com> - 0.1-2
+* Mon Apr 30 2018 Peter Jones <pjones@redhat.com> - 15-3
-- Add patch to fix image size calculation
+- Pick a release value that'll be higher than what's in F28.
 
-* Mon Aug 13 2012 Matthew Garrett <mjg@redhat.com> - 0.1-1
+* Mon Apr 30 2018 Peter Jones <pjones@redhat.com> - 15-1
-- initial release
+- Fix BOOT*.CSV and update release to -1
+
+* Tue Apr 24 2018 Peter Jones <pjones@redhat.com> - 15-0.1
+- Update to shim 15.
+- more reproduceable build
+- better checking for bad linker output
+- flicker-free console if there's no error output
+- improved http boot support
+- better protocol re-installation
+- dhcp proxy support
+- tpm measurement even when verification is disabled
+- more reproducable builds
+- measurement of everything verified through shim_verify()
+- coverity and scan-build checker make targets
+- misc cleanups
+
+* Tue Mar 06 2018 Peter Jones <pjones@redhat.com> - 13-5
+- Back off to the thing we had in 13-0.8 until I get new signatures.
+
+* Wed Feb 28 2018 Peter Jones <pjones@redhat.com> - 13-4
+- Fix an inverted test that crept in in the signing macro.  (Woops.)
+
+* Wed Feb 28 2018 Peter Jones <pjones@redhat.com> - 13-2
+- Pivot the shim-signed package to be here.
+
+* Wed Nov 01 2017 Peter Jones <pjones@redhat.com> - 13-1
+- Now with the actual signed 64-bit build of shim 13 for x64 as well.
+- Make everything under /boot/efi be mode 0700, since that's what FAT will
+  show anyway, so that rpm -V is correct.
+  Resolves: rhbz#1508516
+
+* Tue Oct 24 2017 Peter Jones <pjones@redhat.com> - 13-0.8
+- Now with signed 32-bit x86 build.
+  Related: rhbz#1474861
+
+* Wed Oct 04 2017 Peter Jones <pjones@redhat.com> - 13-0.7
+- Make /boot/efi/EFI/fedora/shim.efi still exist on aarch64 as well.
+  Resolves: rhbz#1497854
+
+* Tue Sep 19 2017 Peter Jones <pjones@redhat.com> - 13-0.6
+- Fix binary format issue on Aarch64
+  Resolves: rhbz#1489604
+
+* Tue Sep 05 2017 Peter Jones <pjones@redhat.com> - 13-0.5
+- Make /boot/efi/EFI/fedora/shim.efi still exist on x86_64, since some
+  machines have boot entries that point to it.
+
+* Tue Aug 29 2017 Peter Jones <pjones@redhat.com> - 13-0.4
+- Make our provides not get silently ignore by rpmbuild...
+
+* Fri Aug 25 2017 Peter Jones <pjones@redhat.com> - 13-0.3
+- x64: use the new fbx64.efi and mm64.efi as fallback.efi and MokManager.efi
+- Provide: "shim" in x64 and aa64 builds
+
+* Thu Aug 24 2017 Peter Jones <pjones@redhat.com> - 13-0.2
+- Obsolete old shim builds.
+
+* Tue Aug 22 2017 Peter Jones <pjones@redhat.com> - 13-0.1
+- Initial (partially unsigned) build for multi-arch support on x64/ia32.
+
+* Thu Mar 23 2017 Petr Šabata <contyk@redhat.com> - 0.8-9
+- Re-enable dist tag for module builds
+
+* Tue Feb 17 2015 Peter Jones <pjones@redhat.com> - 0.8-8
+- Don't dual-sign shim-%%{efidir}.efi either.
+  Resolves: rhbz#1184765
+
+* Tue Feb 17 2015 Peter Jones <pjones@redhat.com> - 0.8-8
+- Require dbxtool
+
+* Wed Dec 17 2014 Peter Jones <pjones@redhat.com> - 0.8-7
+- Wrong -signed changes got built for aarch64 last time, for dumb reasons.
+  Related: rhbz#1170289
+
+* Fri Dec 05 2014 Peter Jones <pjones@redhat.com> - 0.8-6
+- Rebuild once more so we can use a different -unsigned version on different
+  arches (because we can't tag a newer build into aarch64 without an x86
+  update to match.)
+  Related: rhbz#1170289
+
+* Wed Dec 03 2014 Peter Jones <pjones@redhat.com> - 0.8-5
+- Rebuild for aarch64 path fixes
+  Related: rhbz#1170289
+
+* Thu Oct 30 2014 Peter Jones <pjones@redhat.com> - 0.8-2
+- Remove the dist tag so people don't complain about what it says.
+
+* Fri Oct 24 2014 Peter Jones <pjones@redhat.com> - 0.8-1
+- Update to shim 0.8
+  rhbz#1148230
+  rhbz#1148231
+  rhbz#1148232
+- Handle building on aarch64 as well
+
+* Fri Jul 18 2014 Peter Jones <pjones@redhat.com> - 0.7-2
+- Don't do multi-signing; too many machines screw up verification.
+  Resolves: rhbz#1049749
+
+* Wed Nov 13 2013 Peter Jones <pjones@redhat.com> - 0.7-1
+- Update to shim 0.7
+  Resolves: rhbz#1023767
+
+* Thu Oct 24 2013 Peter Jones <pjones@redhat.com> - 0.5-1
+- Update to shim 0.5
+
+* Thu Jun 20 2013 Peter Jones <pjones@redhat.com> - 0.4-1
+- Provide a fallback for uninitialized Boot#### and BootOrder
+  Resolves: rhbz#963359
+- Move all signing from shim-unsigned to here
+- properly compare our generated hash from shim-unsigned with the hash of
+  the signed binary (as opposed to doing it manually)
+
+* Fri May 31 2013 Peter Jones <pjones@redhat.com> - 0.2-4.4
+- Re-sign to get alignments that match the new specification.
+  Resolves: rhbz#963361
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.2-4.3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Wed Jan 02 2013 Peter Jones <pjones@redhat.com> - 0.2-3.3
+- Add obsoletes and provides for earlier shim-signed packages, to cover
+  the package update cases where previous versions were installed.
+  Related: rhbz#888026
+
+* Mon Dec 17 2012 Peter Jones <pjones@redhat.com> - 0.2-3.2
+- Make the shim-unsigned dep be on the subpackage.
+
+* Sun Dec 16 2012 Peter Jones <pjones@redhat.com> - 0.2-3.1
+- Rebuild to provide "shim" package directly instead of just as a Provides:
+
+* Sat Dec 15 2012 Peter Jones <pjones@redhat.com> - 0.2-3
+- Also provide shim-fedora.efi, signed only by the fedora signer.
+- Fix the fedora signature on the result to actually be correct.
+- Update for shim-unsigned 0.2-3
+
+* Mon Dec 03 2012 Peter Jones <pjones@redhat.com> - 0.2-2
+- Initial build

sources

@@ -1 +1,3 @@
-af9b5f559d1f9e370ad119c244d0f563  shim-0.8.tar.bz2
+SHA512 (shimx64.efi) = 06488f3f5daf09b3e37e160721e9bf4c68a3ea17dcd19fad7dd1d7edbcf4c218a5b6264e7780bef46e400213459c1a8c9a0c4c1c48f7fe5d7b55b868dbdc3823
+SHA512 (shimia32.efi) = 8241bed8c3e2789741da15e265efb6a1d35d02c4ffbfd21428910c9e366575137a3d9d0c73aa10e62d59d81a98496668a05c5ac7f18a677ccb54e884db48f507
+SHA512 (shimaa64.efi) = b2b77ebbdeda9f9110dd9a6ef4ad15ae57b53ce01ef5c912163159226dc39d5ed35e0dbcfa46dc8ab9f714b63aaea52cd42746aa54155313b43dd27dd57a62f5