Compare commits
No commits in common. "rawhide" and "f32" have entirely different histories.
BIN
BOOTARM.CSV
BIN
BOOTARM.CSV
Binary file not shown.
|
@ -3,33 +3,30 @@
|
|||||||
%global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
|
%global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
|
||||||
%global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
|
%global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
|
||||||
|
|
||||||
%global grub_version 2.06~rc1
|
|
||||||
%global fwupd_version 1.5.8
|
|
||||||
|
|
||||||
%global bootcsvaa64 %{expand:%{SOURCE10}}
|
%global bootcsvaa64 %{expand:%{SOURCE10}}
|
||||||
%global bootcsvarm %{expand:%{SOURCE13}}
|
|
||||||
%global bootcsvia32 %{expand:%{SOURCE11}}
|
%global bootcsvia32 %{expand:%{SOURCE11}}
|
||||||
%global bootcsvx64 %{expand:%{SOURCE12}}
|
%global bootcsvx64 %{expand:%{SOURCE12}}
|
||||||
|
#%%global bootcsvarm %%{expand:%%{SOURCE13}}
|
||||||
|
|
||||||
%global shimefiaa64 %{expand:%{SOURCE20}}
|
%global shimefiaa64 %{expand:%{SOURCE20}}
|
||||||
%global shimefiarm %{expand:%{SOURCE23}}
|
|
||||||
%global shimefiia32 %{expand:%{SOURCE21}}
|
%global shimefiia32 %{expand:%{SOURCE21}}
|
||||||
%global shimefix64 %{expand:%{SOURCE22}}
|
%global shimefix64 %{expand:%{SOURCE22}}
|
||||||
|
#%%global shimefiarm %%{expand:%%{SOURCE23}
|
||||||
|
|
||||||
%global shimveraa64 15.6-2
|
%global shimveraa64 15-1.fc28
|
||||||
%global shimverarm 15.4-1.fc34
|
%global shimveria32 15-1.fc28
|
||||||
%global shimveria32 15.6-1
|
%global shimverx64 15-1.fc28
|
||||||
%global shimverx64 15.6-1
|
#%%global shimverarm 15-1.fc28
|
||||||
|
|
||||||
%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
|
%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
|
||||||
%global shimdirarm %{_datadir}/shim/%{shimverarm}/arm
|
|
||||||
%global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32
|
%global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32
|
||||||
%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64
|
%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64
|
||||||
|
#%%global shimdirarm %%{_datadir}/shim/%%{shimverarm}/arm
|
||||||
|
|
||||||
%global unsignedaa64 shim-unsigned-aarch64
|
%global unsignedaa64 shim-unsigned-aarch64
|
||||||
%global unsignedarm shim-unsigned-arm
|
|
||||||
%global unsignedia32 shim-unsigned-ia32
|
%global unsignedia32 shim-unsigned-ia32
|
||||||
%global unsignedx64 shim-unsigned-x64
|
%global unsignedx64 shim-unsigned-x64
|
||||||
|
#%%global unsignedarm shim-unsigned-arm
|
||||||
|
|
||||||
%global bootcsv %{expand:%{bootcsv%{efi_arch}}}
|
%global bootcsv %{expand:%{bootcsv%{efi_arch}}}
|
||||||
%global bootcsvalt %{expand:%{bootcsv%{?efi_alt_arch}}}
|
%global bootcsvalt %{expand:%{bootcsv%{?efi_alt_arch}}}
|
||||||
@ -47,12 +44,10 @@
|
|||||||
%define define_pkg(a:p:) \
|
%define define_pkg(a:p:) \
|
||||||
%{expand:%%package -n shim-%{-a*}} \
|
%{expand:%%package -n shim-%{-a*}} \
|
||||||
Summary: First-stage UEFI bootloader \
|
Summary: First-stage UEFI bootloader \
|
||||||
Requires: mokutil >= 1:0.3.0-15 \
|
Requires: mokutil >= 1:0.2.0-1 \
|
||||||
Requires: efi-filesystem \
|
Requires: efi-filesystem \
|
||||||
Provides: shim-signed-%{-a*} = %{version}-%{release} \
|
Provides: shim-signed-%{-a*} = %{version}-%{release} \
|
||||||
Conflicts: fwupd < %{fwupd_version} \
|
Requires: dbxtool >= 0.6-3 \
|
||||||
Requires: grub2-efi-%{-a*} >= %{grub_version} \
|
|
||||||
Conflicts: grub2-efi-%{-a*} < %{grub_version} \
|
|
||||||
%{expand:%%if 0%%{-p*} \
|
%{expand:%%if 0%%{-p*} \
|
||||||
Provides: shim = %{version}-%{release} \
|
Provides: shim = %{version}-%{release} \
|
||||||
Provides: shim-signed = %{version}-%{release} \
|
Provides: shim-signed = %{version}-%{release} \
|
||||||
@ -112,7 +107,7 @@ if [ "%{-b*}" = "yes" ]; then \
|
|||||||
%{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}} \
|
%{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}} \
|
||||||
mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi \
|
mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi \
|
||||||
fi \
|
fi \
|
||||||
if [ "%{-c*}" = "no" ] && [ "%{-b*}" = "yes" ]; then \
|
if [ "%{-c*}" = "no" ]; then \
|
||||||
cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi \
|
cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi \
|
||||||
fi \
|
fi \
|
||||||
%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}} \
|
%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}} \
|
||||||
@ -131,6 +126,8 @@ rm -vf \\\
|
|||||||
%define do_install(a:A:b:) \
|
%define do_install(a:A:b:) \
|
||||||
install -m 0700 shim%{-a*}.efi \\\
|
install -m 0700 shim%{-a*}.efi \\\
|
||||||
$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}.efi \
|
$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}.efi \
|
||||||
|
install -m 0700 shim%{-a*}-%{efi_vendor}.efi \\\
|
||||||
|
$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}-%{efi_vendor}.efi \
|
||||||
install -m 0700 mm%{-a*}.efi \\\
|
install -m 0700 mm%{-a*}.efi \\\
|
||||||
$RPM_BUILD_ROOT%{efi_esp_dir}/mm%{-a*}.efi \
|
$RPM_BUILD_ROOT%{efi_esp_dir}/mm%{-a*}.efi \
|
||||||
install -m 0700 %{-b*} \\\
|
install -m 0700 %{-b*} \\\
|
||||||
@ -153,7 +150,7 @@ install -m 0700 fb%{-a*}.efi \\\
|
|||||||
|
|
||||||
%ifarch x86_64
|
%ifarch x86_64
|
||||||
%global is_signed yes
|
%global is_signed yes
|
||||||
%global is_alt_signed no
|
%global is_alt_signed yes
|
||||||
%global provide_legacy_shim 1
|
%global provide_legacy_shim 1
|
||||||
%endif
|
%endif
|
||||||
%ifarch aarch64
|
%ifarch aarch64
|
||||||
|
62
shim.spec
62
shim.spec
@ -4,22 +4,21 @@
|
|||||||
%global dist %{expand:%%{_dist}}
|
%global dist %{expand:%%{_dist}}
|
||||||
|
|
||||||
Name: shim
|
Name: shim
|
||||||
Version: 15.6
|
Version: 15
|
||||||
Release: 2%{?dist}
|
Release: 8%{?dist}
|
||||||
Summary: First-stage UEFI bootloader
|
Summary: First-stage UEFI bootloader
|
||||||
License: BSD-3-Clause
|
License: BSD
|
||||||
URL: https://github.com/rhboot/shim/
|
URL: https://github.com/rhboot/shim/
|
||||||
BuildRequires: efi-filesystem
|
BuildRequires: efi-filesystem
|
||||||
BuildRequires: efi-srpm-macros >= 5-1
|
BuildRequires: efi-srpm-macros >= 3-2
|
||||||
|
|
||||||
ExclusiveArch: %{efi}
|
ExclusiveArch: %{efi}
|
||||||
# but we don't build a .i686 package, just a shim-ia32.x86_64 package
|
# but we don't build a .i686 package, just a shim-ia32.x86_64 package
|
||||||
ExcludeArch: %{ix86}
|
ExcludeArch: %{ix86}
|
||||||
# but we don't build a .arm package, just a shim-arm.aarch64 package
|
# and we don't have shim-unsigned-arm builds *yet*
|
||||||
ExcludeArch: %{arm}
|
ExcludeArch: %{arm}
|
||||||
|
|
||||||
Source0: shim.rpmmacros
|
Source0: shim.rpmmacros
|
||||||
Source1: shim.conf
|
|
||||||
|
|
||||||
# keep these two lists of sources synched up arch-wise. That is 0 and 10
|
# keep these two lists of sources synched up arch-wise. That is 0 and 10
|
||||||
# match, 1 and 11 match, ...
|
# match, 1 and 11 match, ...
|
||||||
@ -46,8 +45,10 @@ BuildRequires: %{unsignedia32} = %{shimveria32}
|
|||||||
%endif
|
%endif
|
||||||
%ifarch aarch64
|
%ifarch aarch64
|
||||||
BuildRequires: %{unsignedaa64} = %{shimveraa64}
|
BuildRequires: %{unsignedaa64} = %{shimveraa64}
|
||||||
#BuildRequires: %% {unsignedarm} = %% {shimverarm}
|
|
||||||
%endif
|
%endif
|
||||||
|
#%%ifarch arm
|
||||||
|
#BuildRequires: %%{unsignedarm} = %%{shimverarm}
|
||||||
|
#%%endif
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Initial UEFI bootloader that handles chaining to a trusted full bootloader
|
Initial UEFI bootloader that handles chaining to a trusted full bootloader
|
||||||
@ -68,9 +69,9 @@ mkdir shim-%{version}
|
|||||||
|
|
||||||
cd shim-%{version}
|
cd shim-%{version}
|
||||||
%if %{efi_has_alt_arch}
|
%if %{efi_has_alt_arch}
|
||||||
%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b no -c %{is_alt_signed} -d %{shimdiralt}
|
%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{shimdiralt}
|
||||||
%endif
|
%endif
|
||||||
%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b no -c %{is_signed} -d %{shimdir}
|
%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{shimdir}
|
||||||
|
|
||||||
%install
|
%install
|
||||||
rm -rf $RPM_BUILD_ROOT
|
rm -rf $RPM_BUILD_ROOT
|
||||||
@ -89,8 +90,6 @@ install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_boot}/
|
|||||||
%if %{provide_legacy_shim}
|
%if %{provide_legacy_shim}
|
||||||
install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
|
install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
|
||||||
%endif
|
%endif
|
||||||
install -D -d -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/
|
|
||||||
install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/
|
|
||||||
|
|
||||||
( cd $RPM_BUILD_ROOT ; find .%{efi_esp_root} -type f ) \
|
( cd $RPM_BUILD_ROOT ; find .%{efi_esp_root} -type f ) \
|
||||||
| sed -e 's/\./\^/' -e 's,^\\\./,.*/,' -e 's,$,$,' > %{__brp_mangle_shebangs_exclude_from_file}
|
| sed -e 's/\./\^/' -e 's,^\\\./,.*/,' -e 's,$,$,' > %{__brp_mangle_shebangs_exclude_from_file}
|
||||||
@ -99,52 +98,11 @@ install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/
|
|||||||
%if %{provide_legacy_shim}
|
%if %{provide_legacy_shim}
|
||||||
%{efi_esp_dir}/shim.efi
|
%{efi_esp_dir}/shim.efi
|
||||||
%endif
|
%endif
|
||||||
%{_sysconfdir}/dnf/protected.d/shim.conf
|
|
||||||
|
|
||||||
%if %{efi_has_alt_arch}
|
%if %{efi_has_alt_arch}
|
||||||
%define_files -a %{efi_alt_arch} -A %{efi_alt_arch_upper}
|
%define_files -a %{efi_alt_arch} -A %{efi_alt_arch_upper}
|
||||||
%{_sysconfdir}/dnf/protected.d/shim.conf
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Thu Jul 07 2022 Robbie Harwood <rharwood@redhat.com> - 15.6-2
|
|
||||||
- Update aarch64 (only) with relocation fixes
|
|
||||||
- Resolves: #2101248
|
|
||||||
|
|
||||||
* Wed Jun 15 2022 Peter Jones <pjones@redhat.com> - 15.6-1
|
|
||||||
- Update to shim-15.6
|
|
||||||
Resolves: CVE-2022-28737
|
|
||||||
|
|
||||||
* Wed May 05 2021 Javier Martinez Canillas <javierm@redhat.com> - 15.4-5
|
|
||||||
- Bump release to build for F35
|
|
||||||
|
|
||||||
* Wed Apr 21 2021 Javier Martinez Canillas <javierm@redhat.com> - 15.4-4
|
|
||||||
- Fix handling of ignore_db and user_insecure_mode (pjones)
|
|
||||||
- Fix booting on pre-UEFI Macs (pjones)
|
|
||||||
- Fix mok variable storage allocation region (glin)
|
|
||||||
Resolves: rhbz#1948432
|
|
||||||
- Fix the package version in the .sbat data (pjones)
|
|
||||||
|
|
||||||
* Tue Apr 06 2021 Peter Jones <pjones@redhat.com> - 15.4-3
|
|
||||||
- Mark signed shim packages as protected in dnf.
|
|
||||||
Resolves: rhbz#1874541
|
|
||||||
- Conflict with older fwupd, but don't require it.
|
|
||||||
Resolves: rhbz#1877751
|
|
||||||
|
|
||||||
* Tue Apr 06 2021 Peter Jones <pjones@redhat.com> - 15.4-2
|
|
||||||
- Update to shim 15.4
|
|
||||||
- Support for revocations via the ".sbat" section and SBAT EFI variable
|
|
||||||
- A new unit test framework and a bunch of unit tests
|
|
||||||
- No external gnu-efi dependency
|
|
||||||
- Better CI
|
|
||||||
Resolves: CVE-2020-14372
|
|
||||||
Resolves: CVE-2020-25632
|
|
||||||
Resolves: CVE-2020-25647
|
|
||||||
Resolves: CVE-2020-27749
|
|
||||||
Resolves: CVE-2020-27779
|
|
||||||
Resolves: CVE-2021-20225
|
|
||||||
Resolves: CVE-2021-20233
|
|
||||||
|
|
||||||
* Tue Oct 02 2018 Peter Jones <pjones@redhat.com> - 15-8
|
* Tue Oct 02 2018 Peter Jones <pjones@redhat.com> - 15-8
|
||||||
- Build a -8 because I can't tag -7 into f30 for pretty meh reasons.
|
- Build a -8 because I can't tag -7 into f30 for pretty meh reasons.
|
||||||
|
|
||||||
|
6
sources
6
sources
@ -1,3 +1,3 @@
|
|||||||
SHA512 (shimx64.efi) = 06488f3f5daf09b3e37e160721e9bf4c68a3ea17dcd19fad7dd1d7edbcf4c218a5b6264e7780bef46e400213459c1a8c9a0c4c1c48f7fe5d7b55b868dbdc3823
|
SHA512 (shimia32.efi) = e249199f91a97ea13554a1f0aa6eb4df228b3d604487dabb83e53172b79765015e3eb593c488a8edd24ec618fe4943313708405383cc28ae436ec48202d6300b
|
||||||
SHA512 (shimia32.efi) = 8241bed8c3e2789741da15e265efb6a1d35d02c4ffbfd21428910c9e366575137a3d9d0c73aa10e62d59d81a98496668a05c5ac7f18a677ccb54e884db48f507
|
SHA512 (shimx64.efi) = 52e08b6e1686b19fea9e8f8d8ca51d22bba252467ceaf6db6ead8dd2dca4a0b0b02e547e50ddf1cdee225b8785f8514f6baa846bdf1ea0bf994e772daf70f2c3
|
||||||
SHA512 (shimaa64.efi) = b2b77ebbdeda9f9110dd9a6ef4ad15ae57b53ce01ef5c912163159226dc39d5ed35e0dbcfa46dc8ab9f714b63aaea52cd42746aa54155313b43dd27dd57a62f5
|
SHA512 (shimaa64.efi) = 39aec528ac1999a980a2989089e12d5765a0a28f4452d22a7e325c3fb11ab48417a76d4eb2246963e72ab3166e2905ebf04637ee7977dc083253c7129fa0d672
|
||||||
|
Loading…
Reference in New Issue
Block a user