Accepting request 151556 from devel:openSUSE:Factory

- Sign shim-opensuse.efi and MokManager.efi with the openSUSE cert - Add shim-keep-unsigned-mokmanager.patch to keep the unsigned MokManager and sign it later. (forwarded request 151555 from gary_lin) OBS-URL: https://build.opensuse.org/request/show/151556 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=6
2013-02-07 13:54:45 +00:00 · 2013-02-07 13:54:45 +00:00 · 0f6fe46307
commit 0f6fe46307
parent 9239291420
4 changed files with 269 additions and 1 deletions
--- a/230
+++ b/230
@ -0,0 +1,230 @@
+#! /bin/bash -e
+
+rootdir=
+bootdir=
+efidir=
+install_device=
+removable=no
+clean=no
+sysconfdir="/etc"
+libdir="/usr/lib64"
+source_dir="$libdir/efi"
+grub_probe="`which grub2-probe`"
+self="`basename $0`"
+grub_cfg="/boot/grub2/grub.cfg"
+
+# Get GRUB_DISTRIBUTOR.
+if test -f "${sysconfdir}/default/grub" ; then
+    . "${sysconfdir}/default/grub"
+fi
+
+bootloader_id="$(echo "$GRUB_DISTRIBUTOR" | tr 'A-Z' 'a-z' | cut -d' ' -f1)"
+if test -z "$bootloader_id"; then
+    bootloader_id=grub
+fi
+
+efi_distributor="$bootloader_id"
+bootloader_id="${bootloader_id}-secureboot"
+
+usage () {
+    echo "Usage: $self [OPTION] [INSTALL_DEVICE]"
+    echo
+    echo "Install Secure Boot Loaders on your drive.\n"
+    echo
+    echo "--directory=DIR use images from DIR.\n"
+    echo "--grub-probe=FILE use FILE as grub-probe.\n"
+    echo "--removable the installation device is removable.\n"
+    echo "--bootloader-id=ID the ID of bootloader.\n"
+    echo "--efi-directory=DIR use DIR as the EFI System Partition root.\n"
+    echo "--config-file=FILE use FILE as config file, default is $grub_cfg.\n"
+    echo "--clean remove all installed files and configs.\n"
+    echo
+    echo "INSTALL_DEVICE must be system device filename.\n"
+}
+
+argument () {
+  opt="$1"
+  shift
+
+  if test $# -eq 0; then
+      echo "$0: option requires an argument -- \`$opt'" 1>&2
+      exit 1
+  fi
+  echo "$1"
+}
+
+# Check the arguments.
+while test $# -gt 0
+do
+    option=$1
+    shift
+
+    case "$option" in
+    -h | --help)
+	usage
+	exit 0 ;;
+
+    --root-directory)
+	rootdir="`argument $option "$@"`"; shift;;
+    --root-directory=*)
+	rootdir="`echo "$option" | sed 's/--root-directory=//'`" ;;
+
+    --efi-directory)
+	efidir="`argument $option "$@"`"; shift;;
+    --efi-directory=*)
+	efidir="`echo "$option" | sed 's/--efi-directory=//'`" ;;
+
+    --directory | -d)
+	source_dir="`argument $option "$@"`"; shift;;
+    --directory=*)
+	source_dir="`echo "$option" | sed 's/--directory=//'`" ;;
+
+    --bootloader-id)
+	bootloader_id="`argument $option "$@"`"; shift;;
+    --bootloader-id=*)
+	bootloader_id="`echo "$option" | sed 's/--bootloader-id=//'`" ;;
+
+    --grub-probe)
+	grub_probe="`argument "$option" "$@"`"; shift;;
+    --grub-probe=*)
+	grub_probe="`echo "$option" | sed 's/--grub-probe=//'`" ;;
+
+    --config-file)
+	grub_cfg="`argument "$option" "$@"`"; shift;;
+    --config-file=*)
+	grub_cfg="`echo "$option" | sed 's/--config-file=//'`" ;;
+
+    --removable)
+	removable=yes ;;
+
+    --clean)
+	clean=yes ;;
+
+    -*)
+	echo "Unrecognized option \`$option'"  1>&2
+	usage
+	exit 1
+	;;
+    *)
+	if test "x$install_device" != x; then
+	    echo "More than one install device?" 1>&2
+	    usage
+	    exit 1
+	fi
+	install_device="${option}" ;;
+    esac
+done
+
+if test -n "$efidir"; then
+    efi_fs=`"$grub_probe" --target=fs "${efidir}"`
+    if test "x$efi_fs" = xfat; then :; else
+	echo "$efidir doesn't look like an EFI partition." 1>&2
+	efidir=
+    fi
+fi
+
+
+if [ -z "$bootdir" ]; then
+    bootdir="/boot"
+    if [ -n "$rootdir" ] ; then
+        # Initialize bootdir if rootdir was initialized.
+        bootdir="${rootdir}/boot"
+    fi
+fi
+
+# Find the EFI System Partition.
+if test -n "$efidir"; then
+    install_device="`"$grub_probe" --target=device --device-map= "${efidir}"`"
+else
+    if test -d "${bootdir}/efi"; then
+        install_device="`"$grub_probe" --target=device --device-map= "${bootdir}/efi"`"
+        # Is it a mount point?
+        if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${bootdir}"`"; then
+    	efidir="${bootdir}/efi"
+        fi
+    elif test -d "${bootdir}/EFI"; then
+        install_device="`"$grub_probe" --target=device --device-map= "${bootdir}/EFI"`"
+        # Is it a mount point?
+        if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${bootdir}"`"; then
+    	efidir="${bootdir}/EFI"
+        fi
+    elif test -n "$rootdir" && test "x$rootdir" != "x/"; then
+    # The EFI System Partition may have been given directly using
+    # --root-directory.
+        install_device="`"$grub_probe" --target=device --device-map= "${rootdir}"`"
+    # Is it a mount point?
+        if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${rootdir}/.."`"; then
+    	efidir="${rootdir}"
+        fi
+    fi
+
+    if test -n "$efidir"; then
+        efi_fs=`"$grub_probe" --target=fs "${efidir}"`
+        if test "x$efi_fs" = xfat; then :; else
+    	echo "$efidir doesn't look like an EFI partition." 1>&2
+    	efidir=
+        fi
+    fi
+fi
+
+if test -n "$efidir"; then
+    efi_file=shim.efi
+    efidir="$efidir/EFI/$efi_distributor"
+    mkdir -p "$efidir" || exit 1
+else
+    exit 1;
+fi
+
+if test "$clean" = "yes"; then
+    rm -f "${efidir}/shim.efi"
+    rm -f "${efidir}/MokManager.efi"
+    rm -f "${efidir}/grub.efi"
+    rm -f "${efidir}/grub.cfg"
+    efibootmgr="`which efibootmgr`"
+    if test "$removable" = no && test -n "$bootloader_id" && test -n "$efibootmgr"; then
+        # Delete old entries from the same distributor.
+        for bootnum in `efibootmgr | grep '^Boot[0-9]' | \
+            fgrep -i " $bootloader_id" | cut -b5-8`; do
+            efibootmgr -b "$bootnum" -B
+        done
+	fi
+	exit 0
+fi
+
+cp "${source_dir}/shim.efi" "${efidir}"
+cp "${source_dir}/MokManager.efi" "${efidir}"
+cp "${source_dir}/grub.efi" "${efidir}"
+
+grub_cfg_dirname=`dirname $grub_cfg`
+grub_cfg_basename=`basename $grub_cfg`
+cfg_fs_uuid=`"$grub_probe" --target=fs_uuid "$grub_cfg_dirname"`
+
+(cat << EOF
+search --fs-uuid --set=root ${cfg_fs_uuid}
+set prefix=(\${root})${grub_cfg_dirname}
+EOF
+echo "configfile \$prefix/${grub_cfg_basename}") \
+> "${efidir}/grub.cfg"
+
+efibootmgr="`which efibootmgr`"
+if test "$removable" = no && test -n "$bootloader_id" && test -n "$efibootmgr"; then
+
+    modprobe -q efivars 2>/dev/null || true
+
+    # Delete old entries from the same distributor.
+    for bootnum in `efibootmgr | grep '^Boot[0-9]' | \
+        fgrep -i " $bootloader_id" | cut -b5-8`; do
+        efibootmgr -b "$bootnum" -B
+    done
+
+    efidir_drive="$("$grub_probe" --target=drive --device-map= "$efidir")"
+    efidir_disk="$("$grub_probe" --target=disk --device-map= "$efidir")"
+    if test -z "$efidir_drive" || test -z "$efidir_disk"; then
+        echo "Can't find GRUB drive for $efidir; unable to create EFI Boot Manager entry." >&2
+    else
+        efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')"
+        efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \
+    	-L "$bootloader_id" -l "\\EFI\\$efi_distributor\\$efi_file"
+    fi
+fi
+
--- a/shim-keep-unsigned-mokmanager.patch
+++ b/shim-keep-unsigned-mokmanager.patch
@ -0,0 +1,13 @@
+diff --git a/Makefile b/Makefile
+index 9217ba1..cd1c688 100644
+--- a/Makefile
+++ b/Makefile
+@@ -28,7 +28,7 @@ LDFLAGS		= -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH
+ 
+ VERSION		= 0.2
+ 
+-TARGET	= shim.efi MokManager.efi.signed
+TARGET	= shim.efi MokManager.efi.signed MokManager.efi
+ OBJS	= shim.o netboot.o cert.o dbx.o
+ KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key
+ SOURCES	= shim.c shim.h netboot.c signature.h PeImage.h
--- a/shim.changes
+++ b/shim.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Thu Feb  7 06:56:19 UTC 2013 - glin@suse.com
+
+- Sign shim-opensuse.efi and MokManager.efi with the openSUSE cert
+- Add shim-keep-unsigned-mokmanager.patch to keep the unsigned
+  MokManager and sign it later.
+
+-------------------------------------------------------------------
+Wed Feb  6 06:35:45 UTC 2013 - mchang@suse.com
+
+- Add shim-install utility
+- Add Recommends to grub2-efi 
+
 -------------------------------------------------------------------
 Wed Jan 30 09:00:31 UTC 2013 - glin@suse.com

--- a/shim.spec
+++ b/shim.spec
@ -16,6 +16,8 @@
 #


+# needssslcertforbuild
+
 Name:           shim
 Version:        0.2
 Release:        0
@ -25,6 +27,7 @@ Group:          System/Boot
 Url:            https://github.com/mjg59/shim
 Source:         %{name}-%{version}.tar.bz2
 Source2:        openSUSE-UEFI-CA-Certificate.crt
+Source3:        shim-install
 # PATCH-FIX-SUSE shim-suse-build.patch glin@suse.com -- Adjust Makefile for the build service
 Patch0:         shim-suse-build.patch
 # PATCH-FIX-UPSTREAM shim-local-key-sign-mokmanager.patch glin@suse.com -- Sign MokManager.efi with the local generated certificate
@ -43,11 +46,15 @@ Patch7:         shim-support-mok-delete.patch
 Patch8:         shim-mokmanager-new-pw-hash.patch
 # PATCH-FIX-UPSTREAM shim-mokmanager-support-crypt-hash-method.patch glin@suse.com -- Support the password hashes from /etc/shadow
 Patch9:         shim-mokmanager-support-crypt-hash-method.patch
+# PATCH-FIX-OPENSUSE shim-keep-unsigned-mokmanager.patch glin@suse.com -- Keep MokManager.efi and sign it with the openSUSE key later
+Patch10:        shim-keep-unsigned-mokmanager.patch
 BuildRequires:  gnu-efi >= 3.0q
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
 BuildRequires:  pesign
+BuildRequires:  pesign-obs-integration
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+Recommends:     grub2-efi
 ExclusiveArch:  x86_64

 %description
@ -71,6 +78,7 @@ Authors:
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1

 %build
 chmod +x "make-certs"
@ -81,9 +89,12 @@ make VENDOR_CERT_FILE=openSUSE-UEFI-CA-Certificate.der 2>/dev/null
 mv shim.efi shim-opensuse.efi

 %install
+export BRP_PESIGN_FILES='%{_libdir}/efi/shim-opensuse.efi %{_libdir}/efi/MokManager.efi'
 install -d %{buildroot}/%{_libdir}/efi
 install -m 444 shim-opensuse.efi %{buildroot}/%{_libdir}/efi
-install -m 444 MokManager.efi.signed %{buildroot}/%{_libdir}/efi/MokManager.efi
+install -m 444 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi
+install -d %{buildroot}/%{_sbindir}
+install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/

 %clean
 %{?buildroot:%__rm -rf "%{buildroot}"}
@ -94,5 +105,6 @@ install -m 444 MokManager.efi.signed %{buildroot}/%{_libdir}/efi/MokManager.efi
 %dir %{_libdir}/efi
 %{_libdir}/efi/shim-opensuse.efi
 %{_libdir}/efi/MokManager.efi
+%{_sbindir}/shim-install

 %changelog