shim/shim.spec

#
# spec file for package shim
#
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# needssslcertforbuild


%undefine _build_create_debug

Name:           shim
Version:        12
Release:        0
Summary:        UEFI shim loader
License:        BSD-2-Clause
Group:          System/Boot
Url:            https://github.com/rhboot/shim
Source:         https://github.com/rhboot/shim/releases/download/%{version}/%{name}-%{version}.tar.bz2
# run "extract_signature.sh shim.efi" where shim.efi is the binary
# with the signature from the UEFI signing service.
# Note: For signature requesting, check SIGNATURE_UPDATE.txt
Source1:        signature-opensuse.asc
Source2:        openSUSE-UEFI-CA-Certificate.crt
Source3:        shim-install
Source4:        SLES-UEFI-CA-Certificate.crt
Source5:        extract_signature.sh
Source6:        attach_signature.sh
Source7:        show_hash.sh
Source8:        show_signatures.sh
Source9:        openSUSE-UEFI-CA-Certificate-4096.crt
Source10:       timestamp.pl
Source11:       strip_signature.sh
Source12:       signature-sles.asc
Source99:       SIGNATURE_UPDATE.txt
# PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c
Patch1:         shim-only-os-name.patch
# PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Use the Arch-independent names
Patch2:         shim-arch-independent-names.patch
# PATCH-FIX-UPSTREAM shim-fix-httpboot-crash.patch glin@suse.com -- Fix HTTPBoot crash
Patch3:         shim-fix-httpboot-crash.patch
# PATCH-FIX-UPSTREAM shim-fix-openssl-flags.patch glin@suse.com -- Fix the openssl compiler flags
Patch4:         shim-fix-openssl-flags.patch
# PATCH-FIX-UPSTREAM shim-fix-fallback-double-free.patch glin@suse.com -- Fix double free in fallback.c
Patch5:         shim-fix-fallback-double-free.patch
# PATCH-FIX-UPSTREAM shim-add-fallback-verbose-print.patch glin@suse.com -- Print debug messages dynamically
Patch6:         shim-add-fallback-verbose-print.patch
# PATCH-FIX-UPSTREAM shim-fallback-workaround-masked-ami-variables.patch glin@suse.com -- Work around the masked AMI variables
Patch7:         shim-fallback-workaround-masked-ami-variables.patch
# PATCH-FIX-UPSTREAM shim-more-tpm-measurement.patch glin@suse.com -- Measure more components for TPM
Patch8:         shim-more-tpm-measurement.patch
# PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path
Patch50:        shim-change-debug-file-path.patch
# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
Patch100:       shim-opensuse-cert-prompt.patch
BuildRequires:  gnu-efi >= 3.0.3
BuildRequires:  mozilla-nss-tools
BuildRequires:  openssl >= 0.9.8
BuildRequires:  pesign
BuildRequires:  pesign-obs-integration
%if 0%{?suse_version} > 1320
BuildRequires:  update-bootloader-rpm-macros
%endif
%if 0%{?update_bootloader_requires:1}
%update_bootloader_requires
%else
Requires:       perl-Bootloader
%endif
BuildRoot:      %{_tmppath}/%{name}-%{version}-build
# For shim-install script
Requires:       grub2-efi
# Disable AArch64 until we have the signature
ExclusiveArch:  x86_64

%description
shim is a trivial EFI application that, when run, attempts to open and
execute another application.

%package -n shim-debuginfo
Summary:        UEFI shim loader - debug symbols
Group:          System/Boot

%description -n shim-debuginfo
The debug symbols of UEFI shim loader

%package -n shim-debugsource
Summary:        UEFI shim loader - debug source
Group:          System/Boot

%description -n shim-debugsource
The source code of UEFI shim loader

Authors:
--------
    Matthew Garrett <mjg59@srcf.ucam.org>

%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch50 -p1
%if 0%{?is_opensuse} == 1
%patch100 -p1
%endif
%build
# first, build MokManager and fallback as they don't depend on a
# specific certificate
make EFI_PATH=/usr/lib64 RELEASE=0 MokManager.efi fallback.efi

# now build variants of shim that embed different certificates
default=''
suffixes=(opensuse sles)
# check whether the project cert is a known one. If it is we build
# just one shim that embeds this specific cert. If it's a devel
# project we build all variants to simplify testing.
if test -e %{_sourcedir}/_projectcert.crt ; then
    prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
    prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
    opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash)
    slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash)
    if test "$prjissuer" = "$opensusesubject" ; then 
	suffixes=(opensuse)
    elif test "$prjissuer" = "$slessubject" ; then
	suffixes=(sles)
    elif test "$prjsubject" = "$prjissuer" ; then
	suffixes=(devel opensuse sles)
    fi
fi

for suffix in "${suffixes[@]}"; do
    if test "$suffix" = "opensuse"; then
	cert=%{SOURCE2}
	cert2=%{SOURCE9}
	verify='openSUSE Secure Boot CA1'
	signature=%{SOURCE1}
    elif test "$suffix" = "sles"; then
	cert=%{SOURCE4}
	cert2=''
	verify='SUSE Linux Enterprise Secure Boot CA1'
	signature=%{SOURCE12}
    elif test "$suffix" = "devel"; then
	cert=%{_sourcedir}/_projectcert.crt
	cert2=''
	verify=`openssl x509 -in "$cert" -noout -email`
	signature=''
	test -e "$cert" || continue
    else
	echo "invalid suffix"
	false
    fi

    openssl x509 -in $cert -outform DER -out shim-$suffix.der
    rm -f shim_cert.h shim.cer shim.crt
    if [ -z "$cert2" ]; then
	    # create empty local cert file, we don't need a local key pair as we
	    # sign the mokmanager with our vendor key
	    touch shim.crt
	    touch shim.cer
    else
	    cp $cert2 shim.crt
    fi
    # make sure cast warnings don't trigger post build check
    make EFI_PATH=/usr/lib64 RELEASE=0 VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 shim.efi
    #
    # assert correct certificate embedded
    grep -q "$verify" shim.efi
    # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
    chmod 755 %{SOURCE10}
    # alternative: verify signature
    #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
    if test -n "$signature"; then
	head -1 "$signature" > hash1
	cp shim.efi shim.efi.bak
	# pe header contains timestamp and checksum. we need to
	# restore that
	%{SOURCE10} --set-from-file "$signature" shim.efi
	pesign -h -P -i shim.efi > hash2
	cat hash1 hash2
	if ! cmp -s hash1 hash2; then
		echo "ERROR: $suffix binary changed, need to request new signature!"
%if %{defined shim_enforce_ms_signature}
		false
%endif
		mv shim.efi.bak shim-$suffix.efi
		rm shim.efi
	else
		# attach signature
		pesign -m "$signature" -i shim.efi -o shim-$suffix.efi
		rm -f shim.efi
	fi
    else
        mv shim.efi shim-$suffix.efi
    fi
    mv shim.efi.debug shim-$suffix.debug
    rm -f shim.cer shim.crt
    # make sure cert.o gets rebuilt
    rm -f cert.o
done

ln -s shim-${suffixes[0]}.efi shim.efi
mv shim-${suffixes[0]}.debug shim.debug

# Collect the source for debugsource
mkdir ../source
find . \( -name "*.c" -o -name "*.h" \) -type f -exec cp --parents -a {} ../source/ \;
mv ../source .

%install
export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi'
install -d %{buildroot}/%{_libdir}/efi
cp -a shim*.efi %{buildroot}/%{_libdir}/efi
install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi
install -m 644 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi
install -m 644 fallback.efi %{buildroot}/%{_libdir}/efi/fallback.efi
install -d %{buildroot}/%{_sbindir}
install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/
# install SUSE certificate
install -d %{buildroot}/%{_sysconfdir}/uefi/certs/
for file in shim-*.der; do
    fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g')
    install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/$fpr.crt
done

# install the debug symbols
install -d %{buildroot}/usr/lib/debug/%{_libdir}/efi
install -m 644 shim.debug %{buildroot}/usr/lib/debug/%{_libdir}/efi
install -m 644 MokManager.efi.debug %{buildroot}/usr/lib/debug/%{_libdir}/efi/MokManager.debug
install -m 644 fallback.efi.debug %{buildroot}/usr/lib/debug/%{_libdir}/efi/fallback.debug

# install the debug source
install -d %{buildroot}/usr/src/debug/%{name}-%{version}
cp -r source/* %{buildroot}/usr/src/debug/%{name}-%{version}

%clean
%{?buildroot:%__rm -rf "%{buildroot}"}

%post
%if 0%{?update_bootloader_check_type_reinit_post:1} 
%update_bootloader_check_type_reinit_post grub2-efi
%else
/sbin/update-bootloader --reinit || true
%endif

%posttrans
%{?update_bootloader_posttrans}

%files
%defattr(-,root,root)
%doc COPYRIGHT
%dir %{_libdir}/efi
%{_libdir}/efi/shim.efi
%{_libdir}/efi/shim-*.efi
%{_libdir}/efi/shim-*.der
%{_libdir}/efi/MokManager.efi
%{_libdir}/efi/fallback.efi
%{_sbindir}/shim-install
%dir %{_sysconfdir}/uefi/
%dir %{_sysconfdir}/uefi/certs/
%{_sysconfdir}/uefi/certs/*.crt

%files -n shim-debuginfo
%defattr(-,root,root,-)
/usr/lib/debug/%{_libdir}/efi/shim.debug
/usr/lib/debug/%{_libdir}/efi/MokManager.debug
/usr/lib/debug/%{_libdir}/efi/fallback.debug

%files -n shim-debugsource
%defattr(-,root,root,-)
%dir /usr/src/debug/%{name}-%{version}
/usr/src/debug/%{name}-%{version}/*

%changelog