shim/shim.spec
2013-06-07 14:27:12 -04:00

144 lines
4.8 KiB
RPMSpec

Name: shim
Version: 0.3
Release: 2%{?dist}
Summary: First-stage UEFI bootloader
License: BSD
URL: http://www.codon.org.uk/~mjg59/shim/
Source0: http://www.codon.org.uk/~mjg59/shim/shim-%{version}.tar.bz2
Source1: fedora-ca.cer
# incorporate mokutil for packaging simplicity
%global mokutilver 0.1.0
Source2: http://www.codon.org.uk/~mjg59/mokutil/mokutil-%{mokutilver}.tar.bz2
# currently here's what's in our dbx:
# grub2-efi-2.00-11.fc18.x86_64:
# grubx64.efi 6ac839881e73504047c06a1aac0c4763408ecb3642783c8acf77a2d393ea5cd7
# gcdx64.efi 065cd63bab696ad2f4732af9634d66f2c0d48f8a3134b8808750d378550be151
# grub2-efi-2.00-11.fc19.x86_64:
# grubx64.efi 49ece9a10a9403b32c8e0c892fd9afe24a974323c96f2cc3dd63608754bf9b45
# gcdx64.efi 99fcaa957786c155a92b40be9c981c4e4685b8c62b408cb0f6cb2df9c30b9978
# woops.
Source3: dbx.esl
Patch0: 0001-Fix-grub-path.patch
Patch1: 0001-Don-t-use-MMX-and-SSE-registers-they-aren-t-initiali.patch
Patch2: mokutil-correct-moklistrt-size.patch
Patch3: 0001-EFI_PXE_BASE_CODE_DHCPV6_PACKET-is-in-gnu-efi-3.0t.patch
BuildRequires: gnu-efi git openssl-devel openssl
BuildRequires: pesign >= 0.104-1
BuildRequires: gnu-efi >= 3.0t
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
# compatible with SysV (there's no red zone under UEFI) and there isn't a
# POSIX-style C library.
# BuildRequires: OpenSSL
Provides: bundled(openssl) = 0.9.8w
# Shim is only required on platforms implementing the UEFI secure boot
# protocol. The only one of those we currently wish to support is 64-bit x86.
# Adding further platforms will require adding appropriate relocation code.
ExclusiveArch: x86_64
# Figure out the right file path to use
%if 0%{?rhel}
%global efidir redhat
%endif
%if 0%{?fedora}
%global efidir fedora
%endif
%description
Initial UEFI bootloader that handles chaining to a trusted full bootloader
under secure boot environments.
%package -n shim-unsigned
Summary: First-stage UEFI bootloader (unsigned data)
%description -n shim-unsigned
Initial UEFI bootloader that handles chaining to a trusted full bootloader
under secure boot environments.
%prep
%setup -q -n shim-%{version}
%setup -q -a 2 -D -T
git init
git config user.email "shim-owner@fedoraproject.org"
git config user.name "Fedora Ninjas"
git add .
git commit -a -q -m "%{version} baseline."
git am %{patches} </dev/null
%build
%define vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
%define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
#pesign %{vendor_token_str} %{vendor_cert_str} -C vendor.cer
MAKEFLAGS=""
if [ -f "%{SOURCE1}" ]; then
MAKEFLAGS="VENDOR_CERT_FILE=%{SOURCE1}"
fi
make ${MAKEFLAGS} shim.efi MokManager.efi fallback.efi
cd mokutil-%{mokutilver}
%configure
make %{?_smp_mflags}
cd ..
%install
rm -rf $RPM_BUILD_ROOT
%pesign -s -i shim.efi -e shim.sig
install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/
install -m 0644 shim.efi $RPM_BUILD_ROOT%{_datadir}/shim/shim.efi
install -m 0644 shim.sig $RPM_BUILD_ROOT%{_datadir}/shim/shim.sig
%pesign -s -i fallback.efi -o $RPM_BUILD_ROOT%{_datadir}/shim/fallback.efi
install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
%pesign -s -i MokManager.efi -o $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi
cd mokutil-%{mokutilver}
make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
# now install our .debug files...
cd ..
install -D -d -m 0755 $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/
install -m 0644 shim.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/shim.efi.debug
install -m 0644 fallback.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/fallback.efi.debug
install -D -d -m 0755 $RPM_BUILD_ROOT/usr/lib/debug/boot/efi/EFI/%{efidir}/MokManager.efi.debug
%post
%files -n shim-unsigned
%doc
%dir %{_datadir}/shim
%dir /boot/efi/EFI/%{efidir}
%{_datadir}/shim/*
/boot/efi/EFI/%{efidir}/MokManager.efi
/usr/bin/mokutil
/usr/share/man/man1/mokutil.1.gz
%changelog
* Fri Jun 07 2013 Peter Jones <pjones@redhat.com> - 0.3-2
- Don't allow mmx or sse during compilation.
* Wed Dec 12 2012 Peter Jones <pjones@redhat.com> - 0.2-3
- Fix mokutil's idea of signature sizes.
* Wed Nov 28 2012 Matthew Garrett <mjg59@srcf.ucam.org> - 0.2-2
- Fix secure_mode() always returning true
* Mon Nov 26 2012 Matthew Garrett <mjg59@srcf.ucam.org> - 0.2-1
- Update shim
- Include mokutil
- Add debuginfo package since mokutil is a userspace executable
* Mon Oct 22 2012 Peter Jones <pjones@redhat.com> - 0.1-4
- Produce an unsigned shim
* Tue Aug 14 2012 Peter Jones <pjones@redhat.com> - 0.1-3
- Update how embedded cert and signing work.
* Mon Aug 13 2012 Josh Boyer <jwboyer@redhat.com> - 0.1-2
- Add patch to fix image size calculation
* Mon Aug 13 2012 Matthew Garrett <mjg@redhat.com> - 0.1-1
- initial release