shim/shim.spec
2013-06-11 15:13:49 -04:00

159 lines
5.1 KiB
RPMSpec

Name: shim
Version: 0.4
Release: 1%{?dist}
Summary: First-stage UEFI bootloader
License: BSD
URL: http://www.codon.org.uk/~mjg59/shim/
Source0: http://www.codon.org.uk/~mjg59/shim/shim-%{version}.tar.bz2
Source1: fedora-ca.cer
# incorporate mokutil for packaging simplicity
%global mokutilver 0.1.0
Source2: http://www.codon.org.uk/~mjg59/mokutil/mokutil-%{mokutilver}.tar.bz2
# currently here's what's in our dbx:
# grub2-efi-2.00-11.fc18.x86_64:
# grubx64.efi 6ac839881e73504047c06a1aac0c4763408ecb3642783c8acf77a2d393ea5cd7
# gcdx64.efi 065cd63bab696ad2f4732af9634d66f2c0d48f8a3134b8808750d378550be151
# grub2-efi-2.00-11.fc19.x86_64:
# grubx64.efi 49ece9a10a9403b32c8e0c892fd9afe24a974323c96f2cc3dd63608754bf9b45
# gcdx64.efi 99fcaa957786c155a92b40be9c981c4e4685b8c62b408cb0f6cb2df9c30b9978
# woops.
Source3: dbx.esl
# this we'll always need, unless we phase in a rename of our grub binary.
Patch0: 0001-Fix-grub-path.patch
# this we won't need in the next version of mokutil
Patch1: mokutil-correct-moklistrt-size.patch
# this needs to be worked on upstream
Patch2: 0001-Don-t-use-shim_cert-for-verifying-MoK-fedora-will-do.patch
# this will go away once a new gnu-efi actually works again
Patch3: 0001-EFI_PXE_BASE_CODE_DHCPV6_PACKET-is-in-gnu-efi-3.0t.patch
# this will go away with shim 0.5
Patch4: 0001-Fix-some-pointer-casting-issues.patch
BuildRequires: gnu-efi git openssl-devel openssl
BuildRequires: pesign >= 0.106-1
BuildRequires: gnu-efi = 3.0q
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
# compatible with SysV (there's no red zone under UEFI) and there isn't a
# POSIX-style C library.
# BuildRequires: OpenSSL
Provides: bundled(openssl) = 0.9.8w
# Shim is only required on platforms implementing the UEFI secure boot
# protocol. The only one of those we currently wish to support is 64-bit x86.
# Adding further platforms will require adding appropriate relocation code.
ExclusiveArch: x86_64
# Figure out the right file path to use
%if 0%{?rhel}
%global efidir redhat
%endif
%if 0%{?fedora}
%global efidir fedora
%endif
%description
Initial UEFI bootloader that handles chaining to a trusted full bootloader
under secure boot environments.
%package -n shim-unsigned
Summary: First-stage UEFI bootloader (unsigned data)
%description -n shim-unsigned
Initial UEFI bootloader that handles chaining to a trusted full bootloader
under secure boot environments.
%package -n mokutil
Summary: Utilities for managing Secure Boot/MoK keys.
%description -n mokutil
Utilities for managing the "Machine's Own Keys" list.
%prep
%setup -q -n shim-%{version}
%setup -q -a 2 -D -T
git init
git config user.email "shim-owner@fedoraproject.org"
git config user.name "Fedora Ninjas"
git add .
git commit -a -q -m "%{version} baseline."
git am %{patches} </dev/null
%build
MAKEFLAGS=""
if [ -f "%{SOURCE1}" ]; then
MAKEFLAGS="VENDOR_CERT_FILE=%{SOURCE1} VENDOR_DBX_FILE=%{SOURCE3}"
fi
make ${MAKEFLAGS} shim.efi MokManager.efi fallback.efi
cd mokutil-%{mokutilver}
%configure
make %{?_smp_mflags}
cd ..
%install
rm -rf $RPM_BUILD_ROOT
pesign -h -P -i shim.efi -h > shim.hash
install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/
install -m 0644 shim.efi $RPM_BUILD_ROOT%{_datadir}/shim/shim.efi
install -m 0644 shim.hash $RPM_BUILD_ROOT%{_datadir}/shim/shim.hash
install -m 0644 fallback.efi $RPM_BUILD_ROOT%{_datadir}/shim/fallback.efi
install -m 0644 MokManager.efi $RPM_BUILD_ROOT%{_datadir}/shim/MokManager.efi
cd mokutil-%{mokutilver}
make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
# now install our .debug files...
cd ..
install -D -d -m 0755 $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/
install -m 0644 shim.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/shim.efi.debug
install -m 0644 fallback.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/fallback.efi.debug
install -m 0644 MokManager.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/MokManager.efi.debug
%files -n shim-unsigned
%doc
%dir %{_datadir}/shim
%{_datadir}/shim/*
%files -n mokutil
/usr/bin/mokutil
/usr/share/man/man1/mokutil.1.gz
%changelog
* Tue Jun 11 2013 Peter Jones <pjones@redhat.com> - 0.4-1
- Update to 0.4
* Fri Jun 07 2013 Peter Jones <pjones@redhat.com> - 0.3-2
- Require gnu-efi-3.0q for now.
- Don't allow mmx or sse during compilation.
- Re-organize this so all real signing happens in shim-signed instead.
- Split out mokutil
* Wed Dec 12 2012 Peter Jones <pjones@redhat.com> - 0.2-3
- Fix mokutil's idea of signature sizes.
* Wed Nov 28 2012 Matthew Garrett <mjg59@srcf.ucam.org> - 0.2-2
- Fix secure_mode() always returning true
* Mon Nov 26 2012 Matthew Garrett <mjg59@srcf.ucam.org> - 0.2-1
- Update shim
- Include mokutil
- Add debuginfo package since mokutil is a userspace executable
* Mon Oct 22 2012 Peter Jones <pjones@redhat.com> - 0.1-4
- Produce an unsigned shim
* Tue Aug 14 2012 Peter Jones <pjones@redhat.com> - 0.1-3
- Update how embedded cert and signing work.
* Mon Aug 13 2012 Josh Boyer <jwboyer@redhat.com> - 0.1-2
- Add patch to fix image size calculation
* Mon Aug 13 2012 Matthew Garrett <mjg@redhat.com> - 0.1-1
- initial release