Accepting request 196735 from home:lnussel:branches:devel:openSUSE:Factory
- always build a shim that embeds the distro's certificate (e.g. shim-opensuse.efi). If the package is built in the devel project additionally shim-devel.efi is created. That allows us to either load grub2/kernel signed by the distro or signed by the devel project, depending on use case. Also shim-$distro.efi from the devel project can be used to request additional signatures. OBS-URL: https://build.opensuse.org/request/show/196735 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=40
This commit is contained in:
Gary Ching-Pang Lin
Git OBS Bridge
parent
f83d4083f6
commit
3436d7ba57
10
shim.changes
10
shim.changes
@ -1,3 +1,13 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Aug 28 15:54:38 UTC 2013 - lnussel@suse.de
|
||||
|
||||
- always build a shim that embeds the distro's certificate (e.g.
|
||||
shim-opensuse.efi). If the package is built in the devel project
|
||||
additionally shim-devel.efi is created. That allows us to either
|
||||
load grub2/kernel signed by the distro or signed by the devel
|
||||
project, depending on use case. Also shim-$distro.efi from the
|
||||
devel project can be used to request additional signatures.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Aug 28 07:16:51 UTC 2013 - lnussel@suse.de
|
||||
|
||||
|
||||
123
shim.spec
123
shim.spec
@ -93,75 +93,98 @@ Authors:
|
||||
%build
|
||||
chmod +x "make-certs"
|
||||
|
||||
cert2=''
|
||||
# first, build MokManager and fallback as they don't depend on a
|
||||
# specific certificate
|
||||
make MokManager.efi fallback.efi 2>/dev/null
|
||||
|
||||
# now build variants of shim that embed different certificates
|
||||
default=''
|
||||
suffixes=(opensuse sles)
|
||||
# check whether the project cert is a known one. If it is we build
|
||||
# just one shim that embeds this specific cert. If it's a devel
|
||||
# project we build all variants to simplify testing.
|
||||
if test -e %{_sourcedir}/_projectcert.crt ; then
|
||||
prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
|
||||
prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
|
||||
opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash)
|
||||
slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash)
|
||||
if test "$prjissuer" = "$opensusesubject" ; then
|
||||
suffix=opensuse
|
||||
cert=%{SOURCE2}
|
||||
cert2=%{SOURCE9}
|
||||
if test "$prjissuer" = "$opensusesubject" ; then
|
||||
suffixes=(opensuse)
|
||||
elif test "$prjissuer" = "$slessubject" ; then
|
||||
suffixes=(sles)
|
||||
elif test "$prjsubject" = "$prjissuer" ; then
|
||||
suffixes=(devel opensuse sles)
|
||||
fi
|
||||
if test "$prjissuer" = "$slessubject" ; then
|
||||
suffix=sles
|
||||
cert=%{SOURCE4}
|
||||
fi
|
||||
if test "$prjsubject" = "$prjissuer" ; then
|
||||
suffix=local
|
||||
cert=%{_sourcedir}/_projectcert.crt
|
||||
fi
|
||||
fi
|
||||
if test -z "$suffix" ; then
|
||||
echo "cannot identify project, assuming openSUSE signing"
|
||||
suffix=opensuse
|
||||
cert=%{SOURCE2}
|
||||
fi
|
||||
|
||||
openssl x509 -in $cert -outform DER -out shim-$suffix.der
|
||||
if [ -z "$cert2" ]; then
|
||||
# create empty local cert file, we don't need a local key pair as we
|
||||
# sign the mokmanager with our vendor key
|
||||
touch shim.crt
|
||||
touch shim.cer
|
||||
else
|
||||
cp $cert2 shim.crt
|
||||
fi
|
||||
# make sure cast warnings don't trigger post build check
|
||||
make VENDOR_CERT_FILE=shim-$suffix.der shim.efi MokManager.efi fallback.efi 2>/dev/null
|
||||
# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
|
||||
cp shim.efi shim-$suffix.efi
|
||||
chmod 755 %{SOURCE6} %{SOURCE7}
|
||||
# alternative: verify signature
|
||||
#sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
|
||||
head -1 %{SOURCE1} > hash1
|
||||
%{SOURCE7} shim.efi > hash2
|
||||
cat hash1 hash2
|
||||
if ! cmp -s hash1 hash2; then
|
||||
echo "ERROR: binary changed, need to request new signature!"
|
||||
# don't fail in devel projects
|
||||
prj="%{_project}"
|
||||
if [ "${prj%%:*}" = "openSUSE" ]; then
|
||||
false
|
||||
fi
|
||||
fi
|
||||
%{SOURCE6} %{SOURCE1} shim.efi
|
||||
for suffix in "${suffixes[@]}"; do
|
||||
if test "$suffix" = "opensuse"; then
|
||||
cert=%{SOURCE2}
|
||||
cert2=%{SOURCE9}
|
||||
elif test "$suffix" = "sles"; then
|
||||
cert=%{SOURCE4}
|
||||
cert2=''
|
||||
elif test "$suffix" = "devel"; then
|
||||
cert=%{_sourcedir}/_projectcert.crt
|
||||
cert2=''
|
||||
test -e "$cert" || continue
|
||||
else
|
||||
echo "invalid suffix"
|
||||
false
|
||||
fi
|
||||
|
||||
openssl x509 -in $cert -outform DER -out shim-$suffix.der
|
||||
if [ -z "$cert2" ]; then
|
||||
# create empty local cert file, we don't need a local key pair as we
|
||||
# sign the mokmanager with our vendor key
|
||||
touch shim.crt
|
||||
touch shim.cer
|
||||
else
|
||||
cp $cert2 shim.crt
|
||||
rm -f shim.cer
|
||||
fi
|
||||
# make sure cast warnings don't trigger post build check
|
||||
make VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null
|
||||
# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
|
||||
chmod 755 %{SOURCE6} %{SOURCE7}
|
||||
# alternative: verify signature
|
||||
#sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
|
||||
head -1 %{SOURCE1} > hash1
|
||||
%{SOURCE7} shim.efi > hash2
|
||||
cat hash1 hash2
|
||||
if ! cmp -s hash1 hash2; then
|
||||
echo "ERROR: binary changed, need to request new signature!"
|
||||
# don't fail in devel projects
|
||||
prj="%{_project}"
|
||||
if [ "${prj%%:*}" = "openSUSE" ]; then
|
||||
false
|
||||
fi
|
||||
mv shim.efi shim-$suffix.efi
|
||||
else
|
||||
%{SOURCE6} %{SOURCE1} shim.efi
|
||||
mv shim-signed.efi shim-$suffix.efi
|
||||
rm -f shim.efi
|
||||
fi
|
||||
rm -f shim.cer shim.crt
|
||||
done
|
||||
|
||||
ln -s shim-${suffixes[0]}.efi shim.efi
|
||||
|
||||
%install
|
||||
export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi'
|
||||
install -d %{buildroot}/%{_libdir}/efi
|
||||
install -m 644 shim-*.efi %{buildroot}/%{_libdir}/efi
|
||||
cp -a shim*.efi %{buildroot}/%{_libdir}/efi
|
||||
install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi
|
||||
install -m 644 shim-signed.efi %{buildroot}/%{_libdir}/efi/shim.efi
|
||||
install -m 644 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi
|
||||
install -m 644 fallback.efi %{buildroot}/%{_libdir}/efi/fallback.efi
|
||||
install -d %{buildroot}/%{_sbindir}
|
||||
install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/
|
||||
# install SUSE certificate
|
||||
CERT_NAME=$(openssl x509 -sha1 -fingerprint -inform DER -in shim-*.der | grep "SHA1 Fingerprint" | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g')
|
||||
install -d %{buildroot}/%{_sysconfdir}/uefi/certs/
|
||||
install -m 444 shim-*.der %{buildroot}/%{_sysconfdir}/uefi/certs/$CERT_NAME.crt
|
||||
for file in shim-*.der; do
|
||||
fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g')
|
||||
install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/$fpr.crt
|
||||
done
|
||||
|
||||
%clean
|
||||
%{?buildroot:%__rm -rf "%{buildroot}"}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user