Accepting request 151556 from devel:openSUSE:Factory
- Sign shim-opensuse.efi and MokManager.efi with the openSUSE cert - Add shim-keep-unsigned-mokmanager.patch to keep the unsigned MokManager and sign it later. (forwarded request 151555 from gary_lin) OBS-URL: https://build.opensuse.org/request/show/151556 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=6
This commit is contained in:
parent
9239291420
commit
0f6fe46307
230
shim-install
Normal file
230
shim-install
Normal file
@ -0,0 +1,230 @@
|
||||
#! /bin/bash -e
|
||||
|
||||
rootdir=
|
||||
bootdir=
|
||||
efidir=
|
||||
install_device=
|
||||
removable=no
|
||||
clean=no
|
||||
sysconfdir="/etc"
|
||||
libdir="/usr/lib64"
|
||||
source_dir="$libdir/efi"
|
||||
grub_probe="`which grub2-probe`"
|
||||
self="`basename $0`"
|
||||
grub_cfg="/boot/grub2/grub.cfg"
|
||||
|
||||
# Get GRUB_DISTRIBUTOR.
|
||||
if test -f "${sysconfdir}/default/grub" ; then
|
||||
. "${sysconfdir}/default/grub"
|
||||
fi
|
||||
|
||||
bootloader_id="$(echo "$GRUB_DISTRIBUTOR" | tr 'A-Z' 'a-z' | cut -d' ' -f1)"
|
||||
if test -z "$bootloader_id"; then
|
||||
bootloader_id=grub
|
||||
fi
|
||||
|
||||
efi_distributor="$bootloader_id"
|
||||
bootloader_id="${bootloader_id}-secureboot"
|
||||
|
||||
usage () {
|
||||
echo "Usage: $self [OPTION] [INSTALL_DEVICE]"
|
||||
echo
|
||||
echo "Install Secure Boot Loaders on your drive.\n"
|
||||
echo
|
||||
echo "--directory=DIR use images from DIR.\n"
|
||||
echo "--grub-probe=FILE use FILE as grub-probe.\n"
|
||||
echo "--removable the installation device is removable.\n"
|
||||
echo "--bootloader-id=ID the ID of bootloader.\n"
|
||||
echo "--efi-directory=DIR use DIR as the EFI System Partition root.\n"
|
||||
echo "--config-file=FILE use FILE as config file, default is $grub_cfg.\n"
|
||||
echo "--clean remove all installed files and configs.\n"
|
||||
echo
|
||||
echo "INSTALL_DEVICE must be system device filename.\n"
|
||||
}
|
||||
|
||||
argument () {
|
||||
opt="$1"
|
||||
shift
|
||||
|
||||
if test $# -eq 0; then
|
||||
echo "$0: option requires an argument -- \`$opt'" 1>&2
|
||||
exit 1
|
||||
fi
|
||||
echo "$1"
|
||||
}
|
||||
|
||||
# Check the arguments.
|
||||
while test $# -gt 0
|
||||
do
|
||||
option=$1
|
||||
shift
|
||||
|
||||
case "$option" in
|
||||
-h | --help)
|
||||
usage
|
||||
exit 0 ;;
|
||||
|
||||
--root-directory)
|
||||
rootdir="`argument $option "$@"`"; shift;;
|
||||
--root-directory=*)
|
||||
rootdir="`echo "$option" | sed 's/--root-directory=//'`" ;;
|
||||
|
||||
--efi-directory)
|
||||
efidir="`argument $option "$@"`"; shift;;
|
||||
--efi-directory=*)
|
||||
efidir="`echo "$option" | sed 's/--efi-directory=//'`" ;;
|
||||
|
||||
--directory | -d)
|
||||
source_dir="`argument $option "$@"`"; shift;;
|
||||
--directory=*)
|
||||
source_dir="`echo "$option" | sed 's/--directory=//'`" ;;
|
||||
|
||||
--bootloader-id)
|
||||
bootloader_id="`argument $option "$@"`"; shift;;
|
||||
--bootloader-id=*)
|
||||
bootloader_id="`echo "$option" | sed 's/--bootloader-id=//'`" ;;
|
||||
|
||||
--grub-probe)
|
||||
grub_probe="`argument "$option" "$@"`"; shift;;
|
||||
--grub-probe=*)
|
||||
grub_probe="`echo "$option" | sed 's/--grub-probe=//'`" ;;
|
||||
|
||||
--config-file)
|
||||
grub_cfg="`argument "$option" "$@"`"; shift;;
|
||||
--config-file=*)
|
||||
grub_cfg="`echo "$option" | sed 's/--config-file=//'`" ;;
|
||||
|
||||
--removable)
|
||||
removable=yes ;;
|
||||
|
||||
--clean)
|
||||
clean=yes ;;
|
||||
|
||||
-*)
|
||||
echo "Unrecognized option \`$option'" 1>&2
|
||||
usage
|
||||
exit 1
|
||||
;;
|
||||
*)
|
||||
if test "x$install_device" != x; then
|
||||
echo "More than one install device?" 1>&2
|
||||
usage
|
||||
exit 1
|
||||
fi
|
||||
install_device="${option}" ;;
|
||||
esac
|
||||
done
|
||||
|
||||
if test -n "$efidir"; then
|
||||
efi_fs=`"$grub_probe" --target=fs "${efidir}"`
|
||||
if test "x$efi_fs" = xfat; then :; else
|
||||
echo "$efidir doesn't look like an EFI partition." 1>&2
|
||||
efidir=
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
if [ -z "$bootdir" ]; then
|
||||
bootdir="/boot"
|
||||
if [ -n "$rootdir" ] ; then
|
||||
# Initialize bootdir if rootdir was initialized.
|
||||
bootdir="${rootdir}/boot"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Find the EFI System Partition.
|
||||
if test -n "$efidir"; then
|
||||
install_device="`"$grub_probe" --target=device --device-map= "${efidir}"`"
|
||||
else
|
||||
if test -d "${bootdir}/efi"; then
|
||||
install_device="`"$grub_probe" --target=device --device-map= "${bootdir}/efi"`"
|
||||
# Is it a mount point?
|
||||
if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${bootdir}"`"; then
|
||||
efidir="${bootdir}/efi"
|
||||
fi
|
||||
elif test -d "${bootdir}/EFI"; then
|
||||
install_device="`"$grub_probe" --target=device --device-map= "${bootdir}/EFI"`"
|
||||
# Is it a mount point?
|
||||
if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${bootdir}"`"; then
|
||||
efidir="${bootdir}/EFI"
|
||||
fi
|
||||
elif test -n "$rootdir" && test "x$rootdir" != "x/"; then
|
||||
# The EFI System Partition may have been given directly using
|
||||
# --root-directory.
|
||||
install_device="`"$grub_probe" --target=device --device-map= "${rootdir}"`"
|
||||
# Is it a mount point?
|
||||
if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${rootdir}/.."`"; then
|
||||
efidir="${rootdir}"
|
||||
fi
|
||||
fi
|
||||
|
||||
if test -n "$efidir"; then
|
||||
efi_fs=`"$grub_probe" --target=fs "${efidir}"`
|
||||
if test "x$efi_fs" = xfat; then :; else
|
||||
echo "$efidir doesn't look like an EFI partition." 1>&2
|
||||
efidir=
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if test -n "$efidir"; then
|
||||
efi_file=shim.efi
|
||||
efidir="$efidir/EFI/$efi_distributor"
|
||||
mkdir -p "$efidir" || exit 1
|
||||
else
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
if test "$clean" = "yes"; then
|
||||
rm -f "${efidir}/shim.efi"
|
||||
rm -f "${efidir}/MokManager.efi"
|
||||
rm -f "${efidir}/grub.efi"
|
||||
rm -f "${efidir}/grub.cfg"
|
||||
efibootmgr="`which efibootmgr`"
|
||||
if test "$removable" = no && test -n "$bootloader_id" && test -n "$efibootmgr"; then
|
||||
# Delete old entries from the same distributor.
|
||||
for bootnum in `efibootmgr | grep '^Boot[0-9]' | \
|
||||
fgrep -i " $bootloader_id" | cut -b5-8`; do
|
||||
efibootmgr -b "$bootnum" -B
|
||||
done
|
||||
fi
|
||||
exit 0
|
||||
fi
|
||||
|
||||
cp "${source_dir}/shim.efi" "${efidir}"
|
||||
cp "${source_dir}/MokManager.efi" "${efidir}"
|
||||
cp "${source_dir}/grub.efi" "${efidir}"
|
||||
|
||||
grub_cfg_dirname=`dirname $grub_cfg`
|
||||
grub_cfg_basename=`basename $grub_cfg`
|
||||
cfg_fs_uuid=`"$grub_probe" --target=fs_uuid "$grub_cfg_dirname"`
|
||||
|
||||
(cat << EOF
|
||||
search --fs-uuid --set=root ${cfg_fs_uuid}
|
||||
set prefix=(\${root})${grub_cfg_dirname}
|
||||
EOF
|
||||
echo "configfile \$prefix/${grub_cfg_basename}") \
|
||||
> "${efidir}/grub.cfg"
|
||||
|
||||
efibootmgr="`which efibootmgr`"
|
||||
if test "$removable" = no && test -n "$bootloader_id" && test -n "$efibootmgr"; then
|
||||
|
||||
modprobe -q efivars 2>/dev/null || true
|
||||
|
||||
# Delete old entries from the same distributor.
|
||||
for bootnum in `efibootmgr | grep '^Boot[0-9]' | \
|
||||
fgrep -i " $bootloader_id" | cut -b5-8`; do
|
||||
efibootmgr -b "$bootnum" -B
|
||||
done
|
||||
|
||||
efidir_drive="$("$grub_probe" --target=drive --device-map= "$efidir")"
|
||||
efidir_disk="$("$grub_probe" --target=disk --device-map= "$efidir")"
|
||||
if test -z "$efidir_drive" || test -z "$efidir_disk"; then
|
||||
echo "Can't find GRUB drive for $efidir; unable to create EFI Boot Manager entry." >&2
|
||||
else
|
||||
efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')"
|
||||
efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \
|
||||
-L "$bootloader_id" -l "\\EFI\\$efi_distributor\\$efi_file"
|
||||
fi
|
||||
fi
|
||||
|
13
shim-keep-unsigned-mokmanager.patch
Normal file
13
shim-keep-unsigned-mokmanager.patch
Normal file
@ -0,0 +1,13 @@
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 9217ba1..cd1c688 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -28,7 +28,7 @@ LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH
|
||||
|
||||
VERSION = 0.2
|
||||
|
||||
-TARGET = shim.efi MokManager.efi.signed
|
||||
+TARGET = shim.efi MokManager.efi.signed MokManager.efi
|
||||
OBJS = shim.o netboot.o cert.o dbx.o
|
||||
KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key
|
||||
SOURCES = shim.c shim.h netboot.c signature.h PeImage.h
|
13
shim.changes
13
shim.changes
@ -1,3 +1,16 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Feb 7 06:56:19 UTC 2013 - glin@suse.com
|
||||
|
||||
- Sign shim-opensuse.efi and MokManager.efi with the openSUSE cert
|
||||
- Add shim-keep-unsigned-mokmanager.patch to keep the unsigned
|
||||
MokManager and sign it later.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 6 06:35:45 UTC 2013 - mchang@suse.com
|
||||
|
||||
- Add shim-install utility
|
||||
- Add Recommends to grub2-efi
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 30 09:00:31 UTC 2013 - glin@suse.com
|
||||
|
||||
|
14
shim.spec
14
shim.spec
@ -16,6 +16,8 @@
|
||||
#
|
||||
|
||||
|
||||
# needssslcertforbuild
|
||||
|
||||
Name: shim
|
||||
Version: 0.2
|
||||
Release: 0
|
||||
@ -25,6 +27,7 @@ Group: System/Boot
|
||||
Url: https://github.com/mjg59/shim
|
||||
Source: %{name}-%{version}.tar.bz2
|
||||
Source2: openSUSE-UEFI-CA-Certificate.crt
|
||||
Source3: shim-install
|
||||
# PATCH-FIX-SUSE shim-suse-build.patch glin@suse.com -- Adjust Makefile for the build service
|
||||
Patch0: shim-suse-build.patch
|
||||
# PATCH-FIX-UPSTREAM shim-local-key-sign-mokmanager.patch glin@suse.com -- Sign MokManager.efi with the local generated certificate
|
||||
@ -43,11 +46,15 @@ Patch7: shim-support-mok-delete.patch
|
||||
Patch8: shim-mokmanager-new-pw-hash.patch
|
||||
# PATCH-FIX-UPSTREAM shim-mokmanager-support-crypt-hash-method.patch glin@suse.com -- Support the password hashes from /etc/shadow
|
||||
Patch9: shim-mokmanager-support-crypt-hash-method.patch
|
||||
# PATCH-FIX-OPENSUSE shim-keep-unsigned-mokmanager.patch glin@suse.com -- Keep MokManager.efi and sign it with the openSUSE key later
|
||||
Patch10: shim-keep-unsigned-mokmanager.patch
|
||||
BuildRequires: gnu-efi >= 3.0q
|
||||
BuildRequires: mozilla-nss-tools
|
||||
BuildRequires: openssl >= 0.9.8
|
||||
BuildRequires: pesign
|
||||
BuildRequires: pesign-obs-integration
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
Recommends: grub2-efi
|
||||
ExclusiveArch: x86_64
|
||||
|
||||
%description
|
||||
@ -71,6 +78,7 @@ Authors:
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
|
||||
%build
|
||||
chmod +x "make-certs"
|
||||
@ -81,9 +89,12 @@ make VENDOR_CERT_FILE=openSUSE-UEFI-CA-Certificate.der 2>/dev/null
|
||||
mv shim.efi shim-opensuse.efi
|
||||
|
||||
%install
|
||||
export BRP_PESIGN_FILES='%{_libdir}/efi/shim-opensuse.efi %{_libdir}/efi/MokManager.efi'
|
||||
install -d %{buildroot}/%{_libdir}/efi
|
||||
install -m 444 shim-opensuse.efi %{buildroot}/%{_libdir}/efi
|
||||
install -m 444 MokManager.efi.signed %{buildroot}/%{_libdir}/efi/MokManager.efi
|
||||
install -m 444 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi
|
||||
install -d %{buildroot}/%{_sbindir}
|
||||
install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/
|
||||
|
||||
%clean
|
||||
%{?buildroot:%__rm -rf "%{buildroot}"}
|
||||
@ -94,5 +105,6 @@ install -m 444 MokManager.efi.signed %{buildroot}/%{_libdir}/efi/MokManager.efi
|
||||
%dir %{_libdir}/efi
|
||||
%{_libdir}/efi/shim-opensuse.efi
|
||||
%{_libdir}/efi/MokManager.efi
|
||||
%{_sbindir}/shim-install
|
||||
|
||||
%changelog
|
||||
|
Loading…
Reference in New Issue
Block a user