Compare commits

...

7 Commits
rawhide ... f19

Author SHA1 Message Date
Peter Jones
e66067a8e6 Make this more like master/f21/f20
Signed-off-by: Peter Jones <pjones@redhat.com>
2014-10-14 10:44:51 -04:00
Peter Jones
d854b5dba9 Get rid of unused patches.
Signed-off-by: Peter Jones <pjones@redhat.com>
2014-10-14 10:42:49 -04:00
Peter Jones
5fbba32ca2 Remove one more vestige of building mokutil here.
Signed-off-by: Peter Jones <pjones@redhat.com>
2014-10-14 10:17:12 -04:00
Peter Jones
08332a60c2 AAaaand fix the require for gnu-efi-devel
Signed-off-by: Peter Jones <pjones@redhat.com>
2014-10-13 19:51:41 -04:00
Peter Jones
7eb349fa90 Actually get the de-mockification right.
Signed-off-by: Peter Jones <pjones@redhat.com>
2014-10-13 19:37:23 -04:00
Peter Jones
583daa9e89 Update to 0.8
Related: rhbz#1148230
  Related: rhbz#1148231
  Related: rhbz#1148232

Signed-off-by: Peter Jones <pjones@redhat.com>
2014-10-13 19:31:12 -04:00
Peter Jones
b819c2be5b Update to 0.8
Related: rhbz#1148230
  Related: rhbz#1148231
  Related: rhbz#1148232

Signed-off-by: Peter Jones <pjones@redhat.com>
2014-10-13 17:40:34 -04:00
12 changed files with 24 additions and 517 deletions

5
.gitignore vendored
View File

@ -1,2 +1,3 @@
/mokutil-*.tar.bz2 *.tar.*
/shim-*.tar.bz2 clog
*.rpm

View File

@ -1,59 +0,0 @@
From 2a1167083fc6fa313a202afe179dbae080f04b95 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 31 May 2013 15:22:37 -0400
Subject: [PATCH] Don't use MMX and SSE registers, they aren't initialized.
GCC 4.8.0 will try to use these by default, and you'll wind up looping
across the (uninitialized!) trap handler for uninitialized instructions.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Cryptlib/Makefile | 2 +-
Cryptlib/OpenSSL/Makefile | 2 +-
Makefile | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
index 925db8d..f1add83 100644
--- a/Cryptlib/Makefile
+++ b/Cryptlib/Makefile
@@ -10,7 +10,7 @@ LIB_GCC = $(shell $(CC) -print-libgcc-file-name)
EFI_LIBS = -lefi -lgnuefi $(LIB_GCC)
CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
- -Wall $(EFI_INCLUDES) -mno-red-zone
+ -Wall $(EFI_INCLUDES) -mno-red-zone -mno-sse -mno-mmx
ifeq ($(ARCH),x86_64)
CFLAGS += -DEFI_FUNCTION_WRAPPER
endif
diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile
index 7fde382..1bae841 100644
--- a/Cryptlib/OpenSSL/Makefile
+++ b/Cryptlib/OpenSSL/Makefile
@@ -9,7 +9,7 @@ EFI_PATH = /usr/lib64/gnuefi
LIB_GCC = $(shell $(CC) -print-libgcc-file-name)
EFI_LIBS = -lefi -lgnuefi $(LIB_GCC)
-CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
+CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc -mno-mmx -mno-sse \
-Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -DSIXTY_FOUR_BIT_LONG -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_SHA512 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC -mno-red-zone
ifeq ($(ARCH),x86_64)
CFLAGS += -DEFI_FUNCTION_WRAPPER
diff --git a/Makefile b/Makefile
index 287fbcf..c8f6ec8 100644
--- a/Makefile
+++ b/Makefile
@@ -14,8 +14,8 @@ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/
EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds
-CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
- -Wall -mno-red-zone \
+CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
+ -fshort-wchar -Wall -mno-red-zone -mno-mmx -mno-sse \
$(EFI_INCLUDES)
ifeq ($(ARCH),x86_64)
CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI
--
1.8.2.1

View File

@ -1,34 +0,0 @@
From 878dc1a6a76eab7d9fee897ecc978e55e3fc80ed Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 10 Jun 2013 18:08:50 -0400
Subject: [PATCH] Don't use shim_cert for verifying MoK; fedora will do its own
signing.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
shim.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/shim.c b/shim.c
index 94b9710..4edd0b6 100644
--- a/shim.c
+++ b/shim.c
@@ -702,6 +702,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
return status;
}
+#if 0
/*
* Check against the shim build key
*/
@@ -713,6 +714,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
Print(L"Binary is verified by the vendor certificate\n");
return status;
}
+#endif
/*
--
1.8.2.1

View File

@ -1,32 +0,0 @@
From 5a82ef99c8ff146280cb4134d84ee242d3bdb98d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 30 May 2013 17:23:19 -0400
Subject: [PATCH] EFI_PXE_BASE_CODE_DHCPV6_PACKET is in gnu-efi-3.0t
---
netboot.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git b/netboot.c a/netboot.c
index c44aeac..90fb9cb 100644
--- b/netboot.c
+++ a/netboot.c
@@ -56,6 +56,15 @@ static EFI_IP_ADDRESS tftp_addr;
static char *full_path;
+/*
+ * Not in the EFI header set yet, so I have to declare it here
+ */
+typedef struct {
+ UINT32 MessageType:8;
+ UINT32 TransactionId:24;
+ UINT8 DhcpOptions[1024];
+} EFI_PXE_BASE_CODE_DHCPV6_PACKET;
+
typedef struct {
UINT16 OpCode;
UINT16 Length;
--
1.8.2.1

View File

@ -1,26 +0,0 @@
From 8f20d5f78a67675ac8920e0ba67581563b921465 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 May 2013 13:12:43 -0400
Subject: [PATCH] Fix grub path
Signed-off-by: Peter Jones <shim-owner@fedoraproject.org>
---
shim.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shim.c b/shim.c
index f2b8f1d..d28e0cd 100644
--- a/shim.c
+++ b/shim.c
@@ -43,7 +43,7 @@
#include "shim_cert.h"
#include "ucs2.h"
-#define DEFAULT_LOADER L"\\grub.efi"
+#define DEFAULT_LOADER L"\\grubx64.efi"
#define FALLBACK L"\\fallback.efi"
#define MOK_MANAGER L"\\MokManager.efi"
--
1.8.2.1

View File

@ -1,61 +0,0 @@
From 75593536b4cf1ab5803a45240a90168bc4698573 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 11 Jun 2013 14:58:25 -0400
Subject: [PATCH] Fix some pointer casting issues.
This also fixes the size of an empty vendor_cert or dbx_cert.
Signed-off-by: Peter Jones <shim-owner@fedoraproject.org>
---
cert.S | 2 +-
shim.c | 9 +++++----
2 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/cert.S b/cert.S
index 2ed9b6d..66a05b8 100644
--- a/cert.S
+++ b/cert.S
@@ -32,5 +32,5 @@ vendor_cert:
.size vendor_cert_size, 4
.section .vendor_cert, "a", @progbits
vendor_cert_size:
- .long 1
+ .long 0
#endif
diff --git a/shim.c b/shim.c
index 8ffcad6..a573037 100644
--- a/shim.c
+++ b/shim.c
@@ -59,7 +59,7 @@ static UINT32 load_options_size;
*/
extern UINT8 vendor_cert[];
extern UINT32 vendor_cert_size;
-extern EFI_SIGNATURE_LIST *vendor_dbx;
+extern UINT8 vendor_dbx[];
extern UINT32 vendor_dbx_size;
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
@@ -359,16 +359,17 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
UINT8 *sha256hash, UINT8 *sha1hash)
{
EFI_GUID secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
+ EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_dbx;
- if (check_db_hash_in_ram(vendor_dbx, vendor_dbx_size, sha256hash,
+ if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha256hash,
SHA256_DIGEST_SIZE, EfiHashSha256Guid) ==
DATA_FOUND)
return EFI_ACCESS_DENIED;
- if (check_db_hash_in_ram(vendor_dbx, vendor_dbx_size, sha1hash,
+ if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha1hash,
SHA1_DIGEST_SIZE, EfiHashSha1Guid) ==
DATA_FOUND)
return EFI_ACCESS_DENIED;
- if (check_db_cert_in_ram(vendor_dbx, vendor_dbx_size, cert,
+ if (check_db_cert_in_ram(dbx, vendor_dbx_size, cert,
sha256hash) == DATA_FOUND)
return EFI_ACCESS_DENIED;
--
1.8.2.1

View File

@ -1,54 +0,0 @@
From jwboyer@redhat.com Tue Dec 11 11:12:04 2012
Return-Path: jwboyer@redhat.com
Received: from zmta04.collab.prod.int.phx2.redhat.com (LHLO
zmta04.collab.prod.int.phx2.redhat.com) (10.5.81.11) by
zmail14.collab.prod.int.phx2.redhat.com with LMTP; Tue, 11 Dec 2012
11:12:04 -0500 (EST)
Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
by zmta04.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 02F16D0D4D
for <pjones@mail.corp.redhat.com>; Tue, 11 Dec 2012 11:12:04 -0500 (EST)
Received: from hansolo.jdub.homelinux.org ([10.3.113.16])
by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id qBBGC1N7022642
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
Tue, 11 Dec 2012 11:12:03 -0500
Date: Tue, 11 Dec 2012 11:12:01 -0500
From: Josh Boyer <jwboyer@redhat.com>
To: pjones@redhat.com
Cc: mjg59@srcf.ucam.org
Subject: [PATCH] Fix SignatureSize field when importing a new cert
Message-ID: <20121211161200.GA999@hansolo.jdub.homelinux.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
Status: RO
Content-Length: 842
Lines: 25
The SignatureSize field should be the length of the certificate plus
16 per the UEFI spec. Remove the extraneous addition of
sizeof(EFI_SIGNATURE_DATA) from the calculation so that certs enrolled
in MokListRT are parsable.
---
src/mokutil.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/mokutil-0.1.0/src/mokutil.c b/mokutil-0.1.0/src/mokutil.c
index ca46488..f94aee4 100644
--- a/mokutil-0.1.0/src/mokutil.c
+++ b/mokutil-0.1.0/src/mokutil.c
@@ -485,8 +485,7 @@ import_moks (char **files, uint32_t total)
CertList->SignatureListSize = sizes[i] +
sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1;
CertList->SignatureHeaderSize = 0;
- CertList->SignatureSize = sizes[i] +
- sizeof(EFI_SIGNATURE_DATA) + 16;
+ CertList->SignatureSize = sizes[i] + 16;
CertData->SignatureOwner = SHIM_LOCK_GUID;
fd = open (files[i], O_RDONLY);
--
1.8.0.1

File diff suppressed because one or more lines are too long

View File

@ -1,63 +0,0 @@
From d3a9d4e8404e0f402fb371066f0e405ed3cecc29 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Tue, 14 Aug 2012 06:50:00 -0400
Subject: [PATCH] Use the file size, not the image size field, for
verification.
---
shim.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/shim.c b/shim.c
index 2d9044d..6a3c054 100644
--- a/shim.c
+++ b/shim.c
@@ -555,7 +555,7 @@ done:
/*
* Read the binary header and grab appropriate information from it
*/
-static EFI_STATUS read_header(void *data,
+static EFI_STATUS read_header(void *data, unsigned int datasize,
PE_COFF_LOADER_IMAGE_CONTEXT *context)
{
EFI_IMAGE_DOS_HEADER *DosHdr = data;
@@ -590,7 +590,7 @@ static EFI_STATUS read_header(void *data,
context->FirstSection = (EFI_IMAGE_SECTION_HEADER *)((char *)PEHdr + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER));
context->SecDir = (EFI_IMAGE_DATA_DIRECTORY *) &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY];
- if (context->SecDir->VirtualAddress >= context->ImageSize) {
+ if (context->SecDir->VirtualAddress >= datasize) {
Print(L"Malformed security header\n");
return EFI_INVALID_PARAMETER;
}
@@ -606,7 +606,8 @@ static EFI_STATUS read_header(void *data,
/*
* Once the image has been loaded it needs to be validated and relocated
*/
-static EFI_STATUS handle_grub (void *data, int datasize, EFI_LOADED_IMAGE *li)
+static EFI_STATUS handle_grub (void *data, unsigned int datasize,
+ EFI_LOADED_IMAGE *li)
{
EFI_STATUS efi_status;
char *buffer;
@@ -615,7 +616,7 @@ static EFI_STATUS handle_grub (void *data, int datasize, EFI_LOADED_IMAGE *li)
char *base, *end;
PE_COFF_LOADER_IMAGE_CONTEXT context;
- efi_status = read_header(data, &context);
+ efi_status = read_header(data, datasize, &context);
if (efi_status != EFI_SUCCESS) {
Print(L"Failed to read header\n");
return efi_status;
@@ -843,7 +844,7 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
if (!secure_mode())
return EFI_SUCCESS;
- status = read_header(buffer, &context);
+ status = read_header(buffer, size, &context);
if (status != EFI_SUCCESS)
return status;
--
1.7.11.2

View File

@ -1,129 +0,0 @@
From be817236507a104ec9b0e8be57daab0e2bab40ce Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 13 Aug 2012 17:06:46 -0400
Subject: [PATCH] Allow specification of vendor_cert through a build command
line option.
This allows you to specify the vendor_cert as a file on the command line
during build.
---
Makefile | 16 +++++++++++-----
cert.S | 32 ++++++++++++++++++++++++++++++++
cert.h | 1 -
shim.c | 6 +++---
4 files changed, 46 insertions(+), 9 deletions(-)
create mode 100644 cert.S
delete mode 100644 cert.h
diff --git a/Makefile b/Makefile
index 1e3a020..66b105f 100644
--- a/Makefile
+++ b/Makefile
@@ -14,24 +14,30 @@ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/
EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds
-
CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
-Wall -mno-red-zone \
$(EFI_INCLUDES)
ifeq ($(ARCH),x86_64)
CFLAGS += -DEFI_FUNCTION_WRAPPER
endif
+ifneq ($(origin VENDOR_CERT_FILE), undefined)
+ CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
+endif
+
LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS)
-TARGET = shim.efi
-OBJS = shim.o shim.so
-SOURCES = shim.c shim.h signature.h PeImage.h cert.h
+TARGET = shim.efi
+OBJS = shim.o cert.o
+SOURCES = shim.c shim.h signature.h PeImage.h
all: $(TARGET)
shim.o: $(SOURCES)
-shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a
+cert.o : cert.S
+ $(CC) $(CFLAGS) -c -o $@ $<
+
+shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a cert.o
$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
Cryptlib/libcryptlib.a:
diff --git a/cert.S b/cert.S
new file mode 100644
index 0000000..129bab5
--- /dev/null
+++ b/cert.S
@@ -0,0 +1,32 @@
+#if defined(VENDOR_CERT_FILE)
+ .globl vendor_cert
+ .data
+ .align 16
+ .type vendor_cert, @object
+ .size vendor_cert_size, vendor_cert_size-vendor_cert
+vendor_cert:
+.incbin VENDOR_CERT_FILE
+
+ .globl vendor_cert_size
+ .data
+ .align 16
+ .type vendor_cert_size, @object
+ .size vendor_cert_size, 4
+vendor_cert_size:
+ .long vendor_cert_size - vendor_cert
+#else
+ .globl vendor_cert
+ .bss
+ .type vendor_cert, @object
+ .size vendor_cert, 1
+vendor_cert:
+ .zero 1
+
+ .globl vendor_cert_size
+ .data
+ .align 4
+ .type vendor_cert_size, @object
+ .size vendor_cert_size, 4
+vendor_cert_size:
+ .long 1
+#endif
diff --git a/cert.h b/cert.h
deleted file mode 100644
index 380bc04..0000000
--- a/cert.h
+++ /dev/null
@@ -1 +0,0 @@
-static UINT8 vendor_cert[] = {0x00};
diff --git a/shim.c b/shim.c
index fc3dafc..2d9044d 100644
--- a/shim.c
+++ b/shim.c
@@ -48,8 +48,8 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB
/*
* The vendor certificate used for validating the second stage loader
*/
-
-#include "cert.h"
+extern UINT8 vendor_cert[];
+extern UINT32 vendor_cert_size;
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
@@ -535,7 +535,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
if (!AuthenticodeVerify(cert->CertData,
context->SecDir->Size - sizeof(cert->Hdr),
- vendor_cert, sizeof(vendor_cert), hash,
+ vendor_cert, vendor_cert_size, hash,
SHA256_DIGEST_SIZE)) {
Print(L"Invalid signature\n");
status = EFI_ACCESS_DENIED;
--
1.7.11.2

View File

@ -1,17 +1,13 @@
Name: shim Name: shim
Version: 0.4 Version: 0.8
Release: 1%{?dist} Release: 1%{?dist}
Summary: First-stage UEFI bootloader Summary: First-stage UEFI bootloader
License: BSD License: BSD
URL: http://www.codon.org.uk/~mjg59/shim/ URL: http://www.codon.org.uk/~mjg59/shim/
Source0: http://www.codon.org.uk/~mjg59/shim/shim-%{version}.tar.bz2 Source0: https://github.com/mjg59/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2
Source1: fedora-ca.cer Source1: fedora-ca.cer
# incorporate mokutil for packaging simplicity
%global mokutilver 0.1.0
Source2: http://www.codon.org.uk/~mjg59/mokutil/mokutil-%{mokutilver}.tar.bz2
# currently here's what's in our dbx: # currently here's what's in our dbx:
# grub2-efi-2.00-11.fc18.x86_64: # grub2-efi-2.00-11.fc18.x86_64:
# grubx64.efi 6ac839881e73504047c06a1aac0c4763408ecb3642783c8acf77a2d393ea5cd7 # grubx64.efi 6ac839881e73504047c06a1aac0c4763408ecb3642783c8acf77a2d393ea5cd7
@ -20,37 +16,23 @@ Source2: http://www.codon.org.uk/~mjg59/mokutil/mokutil-%{mokutilver}.tar.bz2
# grubx64.efi 49ece9a10a9403b32c8e0c892fd9afe24a974323c96f2cc3dd63608754bf9b45 # grubx64.efi 49ece9a10a9403b32c8e0c892fd9afe24a974323c96f2cc3dd63608754bf9b45
# gcdx64.efi 99fcaa957786c155a92b40be9c981c4e4685b8c62b408cb0f6cb2df9c30b9978 # gcdx64.efi 99fcaa957786c155a92b40be9c981c4e4685b8c62b408cb0f6cb2df9c30b9978
# woops. # woops.
Source3: dbx.esl Source2: dbx.esl
# this we'll always need, unless we phase in a rename of our grub binary. BuildRequires: git openssl-devel openssl
Patch0: 0001-Fix-grub-path.patch
# this we won't need in the next version of mokutil
Patch1: mokutil-correct-moklistrt-size.patch
# this needs to be worked on upstream
Patch2: 0001-Don-t-use-shim_cert-for-verifying-MoK-fedora-will-do.patch
# this will go away once a new gnu-efi actually works again
Patch3: 0001-EFI_PXE_BASE_CODE_DHCPV6_PACKET-is-in-gnu-efi-3.0t.patch
# this will go away with shim 0.5
Patch4: 0001-Fix-some-pointer-casting-issues.patch
BuildRequires: gnu-efi git openssl-devel openssl
BuildRequires: pesign >= 0.106-1 BuildRequires: pesign >= 0.106-1
BuildRequires: gnu-efi = 3.0q BuildRequires: gnu-efi = 3.0w
BuildRequires: gnu-efi-devel = 3.0w
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
# compatible with SysV (there's no red zone under UEFI) and there isn't a # compatible with SysV (there's no red zone under UEFI) and there isn't a
# POSIX-style C library. # POSIX-style C library.
# BuildRequires: OpenSSL # BuildRequires: OpenSSL
Provides: bundled(openssl) = 0.9.8w Provides: bundled(openssl) = 0.9.8zb
# Shim is only required on platforms implementing the UEFI secure boot # Shim is only required on platforms implementing the UEFI secure boot
# protocol. The only one of those we currently wish to support is 64-bit x86. # protocol. The only one of those we currently wish to support is 64-bit x86.
# Adding further platforms will require adding appropriate relocation code. # Adding further platforms will require adding appropriate relocation code.
ExclusiveArch: x86_64 ExclusiveArch: x86_64 aarch64
# Figure out the right file path to use # Figure out the right file path to use
%if 0%{?rhel} %if 0%{?rhel}
@ -71,32 +53,23 @@ Summary: First-stage UEFI bootloader (unsigned data)
Initial UEFI bootloader that handles chaining to a trusted full bootloader Initial UEFI bootloader that handles chaining to a trusted full bootloader
under secure boot environments. under secure boot environments.
%package -n mokutil
Summary: Utilities for managing Secure Boot/MoK keys.
%description -n mokutil
Utilities for managing the "Machine's Own Keys" list.
%prep %prep
%setup -q -n shim-%{version} %setup -q
%setup -q -a 2 -D -T
git init git init
git config user.email "shim-owner@fedoraproject.org" git config user.email "%{name}-owner@fedoraproject.org"
git config user.name "Fedora Ninjas" git config user.name "Fedora Ninjas"
git add . git add .
git commit -a -q -m "%{version} baseline." git commit -a -q -m "%{version} baseline."
git am %{patches} </dev/null git am %{patches} </dev/null
git config --unset user.email
git config --unset user.name
%build %build
MAKEFLAGS="" MAKEFLAGS=""
if [ -f "%{SOURCE1}" ]; then if [ -f "%{SOURCE1}" ]; then
MAKEFLAGS="VENDOR_CERT_FILE=%{SOURCE1} VENDOR_DBX_FILE=%{SOURCE3}" MAKEFLAGS="VENDOR_CERT_FILE=%{SOURCE1} VENDOR_DBX_FILE=%{SOURCE2}"
fi fi
make ${MAKEFLAGS} shim.efi MokManager.efi fallback.efi make 'DEFAULT_LOADER=\\\\grubx64.efi' ${MAKEFLAGS} shim.efi MokManager.efi fallback.efi
cd mokutil-%{mokutilver}
%configure
make %{?_smp_mflags}
cd ..
%install %install
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
@ -106,10 +79,7 @@ install -m 0644 shim.efi $RPM_BUILD_ROOT%{_datadir}/shim/shim.efi
install -m 0644 shim.hash $RPM_BUILD_ROOT%{_datadir}/shim/shim.hash install -m 0644 shim.hash $RPM_BUILD_ROOT%{_datadir}/shim/shim.hash
install -m 0644 fallback.efi $RPM_BUILD_ROOT%{_datadir}/shim/fallback.efi install -m 0644 fallback.efi $RPM_BUILD_ROOT%{_datadir}/shim/fallback.efi
install -m 0644 MokManager.efi $RPM_BUILD_ROOT%{_datadir}/shim/MokManager.efi install -m 0644 MokManager.efi $RPM_BUILD_ROOT%{_datadir}/shim/MokManager.efi
cd mokutil-%{mokutilver}
make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
# now install our .debug files... # now install our .debug files...
cd ..
install -D -d -m 0755 $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/ install -D -d -m 0755 $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/
install -m 0644 shim.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/shim.efi.debug install -m 0644 shim.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/shim.efi.debug
install -m 0644 fallback.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/fallback.efi.debug install -m 0644 fallback.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/fallback.efi.debug
@ -120,11 +90,13 @@ install -m 0644 MokManager.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/s
%dir %{_datadir}/shim %dir %{_datadir}/shim
%{_datadir}/shim/* %{_datadir}/shim/*
%files -n mokutil
/usr/bin/mokutil
/usr/share/man/man1/mokutil.1.gz
%changelog %changelog
* Mon Oct 13 2014 Peter Jones <pjones@redhat.com> - 0.8-1
- Update to 0.8
Related: rhbz#1148230
Related: rhbz#1148231
Related: rhbz#1148232
* Tue Jun 11 2013 Peter Jones <pjones@redhat.com> - 0.4-1 * Tue Jun 11 2013 Peter Jones <pjones@redhat.com> - 0.4-1
- Update to 0.4 - Update to 0.4

View File

@ -1,2 +1 @@
485218c423aef15de46d55d6de48c98b mokutil-0.1.0.tar.bz2 af9b5f559d1f9e370ad119c244d0f563 shim-0.8.tar.bz2
8e7c5fe72ca0d911de9c1103a68eb455 shim-0.4.tar.bz2