shim/shim.spec

#
# spec file for package shim
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via http://bugs.opensuse.org/
#


# needssslcertforbuild

Name:           shim
Version:        0.2
Release:        0
Summary:        UEFI shim loader
License:        BSD-2-Clause
Group:          System/Boot
Url:            https://github.com/mjg59/shim
Source:         %{name}-%{version}.tar.bz2
# this binary has been signed by UEFI signing service
# FIXME: evaluate whether using signature only and attaching that
# to the built binary also works
Source1:        shim-signed.efi
Source2:        openSUSE-UEFI-CA-Certificate.crt
Source3:        shim-install
Source4:        SLES-UEFI-CA-Certificate.crt
# PATCH-FIX-SUSE shim-suse-build.patch glin@suse.com -- Adjust Makefile for the build service
Patch0:         shim-suse-build.patch
# PATCH-FIX-UPSTREAM shim-local-key-sign-mokmanager.patch glin@suse.com -- Sign MokManager.efi with the local generated certificate
Patch1:         shim-local-key-sign-mokmanager.patch
# PATCH-FEATURE-UPSTREAM shim-get-2nd-stage-loader.patch glin@suse.com -- Get the second stage loader path from the load options
Patch2:         shim-get-2nd-stage-loader.patch
# PATCH-FIX-UPSTREAM shim-reboot-after-changes.patch glin@suse.com -- Reboot the system after enrolling or erasing keys
Patch3:         shim-reboot-after-changes.patch
# PATCH-FIX-UPSTREAM shim-clear-queued-key.patch glin@suse.com -- Clear the queued key to show the menu properly
Patch5:         shim-clear-queued-key.patch
# PATCH-FIX-UPSTREAM shim-fix-loadoptions.patch bnc#798043 glin@suse.com -- Adopt the UEFI shell style LoadOptions
Patch6:         shim-fix-loadoptions.patch
# PATCH-FIX-UPSTREAM shim-support-mok-delete.patch glin@suse.com -- Support for deleting specific keys
Patch7:         shim-support-mok-delete.patch
# PATCH-FIX-UPSTREAM shim-mokmanager-new-pw-hash.patch glin@suse.com -- Support the new password hash
Patch8:         shim-mokmanager-new-pw-hash.patch
# PATCH-FIX-UPSTREAM shim-mokmanager-support-crypt-hash-method.patch glin@suse.com -- Support the password hashes from /etc/shadow
Patch9:         shim-mokmanager-support-crypt-hash-method.patch
# PATCH-FIX-OPENSUSE shim-keep-unsigned-mokmanager.patch glin@suse.com -- Keep MokManager.efi and sign it with the openSUSE key later
Patch10:        shim-keep-unsigned-mokmanager.patch
# PATCH-FIX-UPSTREAM shim-bnc804631-fix-broken-bootpath.patch bnc#804631 glin@suse.com -- Fix the broken bootpath generated in generate_path()
Patch11:        shim-bnc804631-fix-broken-bootpath.patch
BuildRequires:  gnu-efi >= 3.0q
BuildRequires:  mozilla-nss-tools
BuildRequires:  openssl >= 0.9.8
BuildRequires:  pesign
BuildRequires:  pesign-obs-integration
BuildRoot:      %{_tmppath}/%{name}-%{version}-build
Recommends:     grub2-efi
ExclusiveArch:  x86_64

%description
shim is a trivial EFI application that, when run, attempts to open and
execute another application.



Authors:
--------
    Matthew Garrett <mjg59@srcf.ucam.org>

%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1

%build
chmod +x "make-certs"

if test -e %{_sourcedir}/_projectcert.crt ; then
    prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
    prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
    opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash)
    slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash)
    if test "$prjissuer" = "$opensusesubject" ; then
        suffix=opensuse
        cert=%{SOURCE2}
    fi
    if test "$prjissuer" = "$slessubject" ; then
        suffix=sles
        cert=%{SOURCE4}
    fi
    if test "$prjsubject" = "$prjissuer" ; then
        suffix=local
        cert=%{_sourcedir}/_projectcert.crt
    fi
fi
if test -z "$suffix" ; then
    echo "cannot identify project, assuming openSUSE signing"
    suffix=opensuse
    cert=%{SOURCE2}
fi

openssl x509 -in $cert -outform DER -out shim-$suffix.der
# create empty local cert file, we don't need a local key pair as we
# sign the mokmanager with our vendor key
touch shim.crt
touch shim.cer
# make sure cast warnings don't trigger post build check
make VENDOR_CERT_FILE=shim-$suffix.der shim.efi MokManager.efi 2>/dev/null
# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
mv shim.efi shim-$suffix.efi

%install
export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi'
install -d %{buildroot}/%{_libdir}/efi
install -m 444 shim-*.efi %{buildroot}/%{_libdir}/efi
install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi
# FIXME: install signed shim here
install -m 444 %{SOURCE1} %{buildroot}/%{_libdir}/efi/shim.efi
install -m 444 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi
install -d %{buildroot}/%{_sbindir}
install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/

%clean
%{?buildroot:%__rm -rf "%{buildroot}"}

%files
%defattr(-,root,root)
%doc COPYRIGHT
%dir %{_libdir}/efi
%{_libdir}/efi/shim.efi
%{_libdir}/efi/shim-*.efi
%{_libdir}/efi/shim-*.der
%{_libdir}/efi/MokManager.efi
%{_sbindir}/shim-install

%changelog