rpms/shim
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:rawhide
Branches Tags
rpms:rawhide
rpms:main-riscv64
rpms:f38
rpms:f40
rpms:main
rpms:f37
rpms:f39
rpms:f35
rpms:f36
rpms:f34
rpms:f33
rpms:f32
rpms:f30
rpms:f31
rpms:f29
rpms:f28
rpms:f27
rpms:f22
rpms:f23
rpms:f24
rpms:f25
rpms:f26
rpms:f21
rpms:f20
rpms:f19
rpms:f18
...
pull from: rpms:f34
Branches Tags
rpms:main-riscv64
rpms:f38
rpms:f40
rpms:main
rpms:rawhide
rpms:f37
rpms:f39
rpms:f35
rpms:f36
rpms:f34
rpms:f33
rpms:f32
rpms:f30
rpms:f31
rpms:f29
rpms:f28
rpms:f27
rpms:f22
rpms:f23
rpms:f24
rpms:f25
rpms:f26
rpms:f21
rpms:f20
rpms:f19
rpms:f18

3 Commits
rawhide ... f34

Author SHA1 Message Date
Javier Martinez Canillas
ccdcfcf569
A few fixes for 15.4 
- Fix handling of ignore_db and user_insecure_mode (pjones)
- Fix booting on pre-UEFI Macs (pjones)
- Fix mok variable storage allocation region (glin)
  Resolves: rhbz#1948432
- Fix the package version in the .sbat data (pjones)

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
 2021-04-21 10:26:02 +02:00
Peter Jones
50b14368ca Minor updates to fix some minor bugs. 
- Mark signed shim packages as protected in dnf.
  Resolves: rhbz#1874541
- Conflict with older fwupd, but don't require it.
  Resolves: rhbz#1877751

Signed-off-by: Peter Jones <pjones@redhat.com>
 2021-04-06 15:33:14 -04:00
Peter Jones
02b8dece19 Update to shim 15.4 
- Support for revocations via the ".sbat" section and SBAT EFI variable
- A new unit test framework and a bunch of unit tests
- No external gnu-efi dependency
- Better CI
- No more "shim*-fedora.efi", as a second safety to avoid system vendors
  setting up the scenario for CVE-2020-15705
- enable (unsigned) arm v6 building as an aarch64 subpackage.

Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233

Signed-off-by: Peter Jones <pjones@redhat.com>
 2021-04-06 12:56:30 -04:00
5 changed files with 66 additions and 27 deletions
Show Stats Expand all files Collapse all files

BIN
BOOTARM.CSV Normal file
View File

Binary file not shown.
1 shimarm.efi Fedora This is the boot entry for Fedora

4
shim.conf Normal file
View File

@ -0,0 +1,4 @@
shim-aa64
shim-arm
shim-ia32
shim-x64

29
shim.rpmmacros
View File

@ -3,30 +3,33 @@
%global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
%global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
%global grub_version 2.06~rc1
%global fwupd_version 1.5.8
%global bootcsvaa64 %{expand:%{SOURCE10}}
%global bootcsvarm %{expand:%{SOURCE13}}
%global bootcsvia32 %{expand:%{SOURCE11}}
%global bootcsvx64 %{expand:%{SOURCE12}}
#%%global bootcsvarm %%{expand:%%{SOURCE13}}
%global shimefiaa64 %{expand:%{SOURCE20}}
%global shimefiarm %{expand:%{SOURCE23}}
%global shimefiia32 %{expand:%{SOURCE21}}
%global shimefix64 %{expand:%{SOURCE22}}
#%%global shimefiarm %%{expand:%%{SOURCE23}
%global shimveraa64 15-1.fc28
%global shimveria32 15-1.fc28
%global shimverx64 15-1.fc28
#%%global shimverarm 15-1.fc28
%global shimveraa64 15.4-1.fc34
%global shimverarm 15.4-1.fc34
%global shimveria32 15.4-5.fc33
%global shimverx64 15.4-5.fc33
%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
%global shimdirarm %{_datadir}/shim/%{shimverarm}/arm
%global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32
%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64
#%%global shimdirarm %%{_datadir}/shim/%%{shimverarm}/arm
%global unsignedaa64 shim-unsigned-aarch64
%global unsignedarm shim-unsigned-arm
%global unsignedia32 shim-unsigned-ia32
%global unsignedx64 shim-unsigned-x64
#%%global unsignedarm shim-unsigned-arm
%global bootcsv %{expand:%{bootcsv%{efi_arch}}}
%global bootcsvalt %{expand:%{bootcsv%{?efi_alt_arch}}}
@ -44,10 +47,12 @@
%define define_pkg(a:p:) \
%{expand:%%package -n shim-%{-a*}} \
Summary: First-stage UEFI bootloader \
Requires: mokutil >= 1:0.2.0-1 \
Requires: mokutil >= 1:0.3.0-15 \
Requires: efi-filesystem \
Provides: shim-signed-%{-a*} = %{version}-%{release} \
Requires: dbxtool >= 0.6-3 \
Conflicts: fwupd < %{fwupd_version} \
Requires: grub2-efi-%{-a*} >= %{grub_version} \
Conflicts: grub2-efi-%{-a*} < %{grub_version} \
%{expand:%%if 0%%{-p*} \
Provides: shim = %{version}-%{release} \
Provides: shim-signed = %{version}-%{release} \
@ -107,7 +112,7 @@ if [ "%{-b*}" = "yes" ]; then \
%{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}} \
mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi \
fi \
if [ "%{-c*}" = "no" ]; then \
if [ "%{-c*}" = "no" ] && [ "%{-b*}" = "yes" ]; then \
cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi \
fi \
%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}} \
@ -126,8 +131,6 @@ rm -vf \\\
%define do_install(a:A:b:) \
install -m 0700 shim%{-a*}.efi \\\
$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}.efi \
install -m 0700 shim%{-a*}-%{efi_vendor}.efi \\\
$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}-%{efi_vendor}.efi \
install -m 0700 mm%{-a*}.efi \\\
$RPM_BUILD_ROOT%{efi_esp_dir}/mm%{-a*}.efi \
install -m 0700 %{-b*} \\\

53
shim.spec
View File

@ -4,21 +4,22 @@
%global dist %{expand:%%{_dist}}
Name: shim
Version: 15
Release: 8%{?dist}
Version: 15.4
Release: 4%{?dist}
Summary: First-stage UEFI bootloader
License: BSD
URL: https://github.com/rhboot/shim/
BuildRequires: efi-filesystem
BuildRequires: efi-srpm-macros >= 3-2
BuildRequires: efi-srpm-macros >= 5-1
ExclusiveArch: %{efi}
# but we don't build a .i686 package, just a shim-ia32.x86_64 package
ExcludeArch: %{ix86}
# and we don't have shim-unsigned-arm builds *yet*
# but we don't build a .arm package, just a shim-arm.aarch64 package
ExcludeArch: %{arm}
Source0: shim.rpmmacros
Source1: shim.conf
# keep these two lists of sources synched up arch-wise. That is 0 and 10
# match, 1 and 11 match, ...
@ -28,8 +29,8 @@ Source11: BOOTIA32.CSV
Source21: shimia32.efi
Source12: BOOTX64.CSV
Source22: shimx64.efi
#Source13: BOOTARM.CSV
#Source23: shimarm.efi
Source13: BOOTARM.CSV
Source23: shimarm.efi
%include %{SOURCE0}
@ -45,10 +46,8 @@ BuildRequires: %{unsignedia32} = %{shimveria32}
%endif
%ifarch aarch64
BuildRequires: %{unsignedaa64} = %{shimveraa64}
BuildRequires: %{unsignedarm} = %{shimverarm}
%endif
#%%ifarch arm
#BuildRequires: %%{unsignedarm} = %%{shimverarm}
#%%endif
%description
Initial UEFI bootloader that handles chaining to a trusted full bootloader
@ -69,9 +68,9 @@ mkdir shim-%{version}
cd shim-%{version}
%if %{efi_has_alt_arch}
%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{shimdiralt}
%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b no -c %{is_alt_signed} -d %{shimdiralt}
%endif
%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{shimdir}
%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b no -c %{is_signed} -d %{shimdir}
%install
rm -rf $RPM_BUILD_ROOT
@ -90,6 +89,8 @@ install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_boot}/
%if %{provide_legacy_shim}
install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
%endif
install -D -d -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/
install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/
( cd $RPM_BUILD_ROOT ; find .%{efi_esp_root} -type f ) \
| sed -e 's/\./\^/' -e 's,^\\\./,.*/,' -e 's,$,$,' > %{__brp_mangle_shebangs_exclude_from_file}
@ -98,11 +99,41 @@ install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
%if %{provide_legacy_shim}
%{efi_esp_dir}/shim.efi
%endif
%{_sysconfdir}/dnf/protected.d/shim.conf
%if %{efi_has_alt_arch}
%define_files -a %{efi_alt_arch} -A %{efi_alt_arch_upper}
%{_sysconfdir}/dnf/protected.d/shim.conf
%endif
%changelog
* Wed Apr 21 2021 Javier Martinez Canillas <javierm@redhat.com> - 15.4-4
- Fix handling of ignore_db and user_insecure_mode (pjones)
- Fix booting on pre-UEFI Macs (pjones)
- Fix mok variable storage allocation region (glin)
Resolves: rhbz#1948432
- Fix the package version in the .sbat data (pjones)
* Tue Apr 06 2021 Peter Jones <pjones@redhat.com> - 15.4-3
- Mark signed shim packages as protected in dnf.
Resolves: rhbz#1874541
- Conflict with older fwupd, but don't require it.
Resolves: rhbz#1877751
* Tue Apr 06 2021 Peter Jones <pjones@redhat.com> - 15.4-2
- Update to shim 15.4
- Support for revocations via the ".sbat" section and SBAT EFI variable
- A new unit test framework and a bunch of unit tests
- No external gnu-efi dependency
- Better CI
Resolves: CVE-2020-14372
Resolves: CVE-2020-25632
Resolves: CVE-2020-25647
Resolves: CVE-2020-27749
Resolves: CVE-2020-27779
Resolves: CVE-2021-20225
Resolves: CVE-2021-20233
* Tue Oct 02 2018 Peter Jones <pjones@redhat.com> - 15-8
- Build a -8 because I can't tag -7 into f30 for pretty meh reasons.

7
sources
View File

@ -1,3 +1,4 @@
SHA512 (shimia32.efi) = e249199f91a97ea13554a1f0aa6eb4df228b3d604487dabb83e53172b79765015e3eb593c488a8edd24ec618fe4943313708405383cc28ae436ec48202d6300b
SHA512 (shimx64.efi) = 52e08b6e1686b19fea9e8f8d8ca51d22bba252467ceaf6db6ead8dd2dca4a0b0b02e547e50ddf1cdee225b8785f8514f6baa846bdf1ea0bf994e772daf70f2c3
SHA512 (shimaa64.efi) = 39aec528ac1999a980a2989089e12d5765a0a28f4452d22a7e325c3fb11ab48417a76d4eb2246963e72ab3166e2905ebf04637ee7977dc083253c7129fa0d672
SHA512 (shimx64.efi) = 7ceea9899f41ccd6a2d792af064ba3e7c52c575a951730b4bcd220b4e288857912c5600d977317f2bd444b66871bf78975041fa4db183f99df349c8981e3c8c9
SHA512 (shimia32.efi) = dbbc66538e192eeed6e0306a1384f2508a4dc4572213ed7ad3f03db58d7f48b314e1f6dcc6396735fe24e624a84e9151d720f2085404c60d075bbe982240de4a
SHA512 (shimaa64.efi) = 8888af983c5b5293db092aac1b6339d775fef79c28054c25a1e8e3fe4f2b28b31b672fcc07d29e4dbfdcdfc2493103c6c5a1a9d50cb4d4539d66ce7395b33913
SHA512 (shimarm.efi) = c5ccb61fd3e0ea80076795052e069c4645e7a17dc28360cd0f914ad200fce73434135acf36d905594fd0993fa41e6ee80ecebda546a6a1a5ad3372e75cb1635b