Accepting request 196741 from devel:openSUSE:Factory

- always build a shim that embeds the distro's certificate (e.g. shim-opensuse.efi). If the package is built in the devel project additionally shim-devel.efi is created. That allows us to either load grub2/kernel signed by the distro or signed by the devel project, depending on use case. Also shim-$distro.efi from the devel project can be used to request additional signatures. (forwarded request 196735 from lnussel) OBS-URL: https://build.opensuse.org/request/show/196741 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=21
2013-08-30 09:49:18 +00:00 · 2013-08-30 09:49:18 +00:00 · 72ecfc0c8d
commit 72ecfc0c8d
parent 17697d55a4 3436d7ba57
2 changed files with 83 additions and 50 deletions
--- a/shim.changes
+++ b/shim.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed Aug 28 15:54:38 UTC 2013 - lnussel@suse.de
+
+- always build a shim that embeds the distro's certificate (e.g.
+  shim-opensuse.efi). If the package is built in the devel project
+  additionally shim-devel.efi is created. That allows us to either
+  load grub2/kernel signed by the distro or signed by the devel
+  project, depending on use case. Also shim-$distro.efi from the
+  devel project can be used to request additional signatures.
+
 -------------------------------------------------------------------
 Wed Aug 28 07:16:51 UTC 2013 - lnussel@suse.de

--- a/shim.spec
+++ b/shim.spec
@ -93,30 +93,44 @@ Authors:
 %build
 chmod +x "make-certs"

-cert2=''
+# first, build MokManager and fallback as they don't depend on a
+# specific certificate
+make MokManager.efi fallback.efi 2>/dev/null
+
+# now build variants of shim that embed different certificates
+default=''
+suffixes=(opensuse sles)
+# check whether the project cert is a known one. If it is we build
+# just one shim that embeds this specific cert. If it's a devel
+# project we build all variants to simplify testing.
 if test -e %{_sourcedir}/_projectcert.crt ; then
    prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
    prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
    opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash)
    slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash)
    if test "$prjissuer" = "$opensusesubject" ; then 
-        suffix=opensuse
+	suffixes=(opensuse)
+    elif test "$prjissuer" = "$slessubject" ; then
+	suffixes=(sles)
+    elif test "$prjsubject" = "$prjissuer" ; then
+	suffixes=(devel opensuse sles)
+    fi
+fi
+
+for suffix in "${suffixes[@]}"; do
+    if test "$suffix" = "opensuse"; then
 	cert=%{SOURCE2}
 	cert2=%{SOURCE9}
-    fi
-    if test "$prjissuer" = "$slessubject" ; then
-        suffix=sles
+    elif test "$suffix" = "sles"; then
 	cert=%{SOURCE4}
-    fi
-    if test "$prjsubject" = "$prjissuer" ; then
-        suffix=local
+	cert2=''
+    elif test "$suffix" = "devel"; then
 	cert=%{_sourcedir}/_projectcert.crt
-    fi
-fi
-if test -z "$suffix" ; then
-    echo "cannot identify project, assuming openSUSE signing"
-    suffix=opensuse
-    cert=%{SOURCE2}
+	cert2=''
+	test -e "$cert" || continue
+    else
+	echo "invalid suffix"
+	false
    fi

    openssl x509 -in $cert -outform DER -out shim-$suffix.der
@ -127,11 +141,11 @@ if [ -z "$cert2" ]; then
 	    touch shim.cer
    else
 	    cp $cert2 shim.crt
+	    rm -f shim.cer
    fi
    # make sure cast warnings don't trigger post build check
-make VENDOR_CERT_FILE=shim-$suffix.der shim.efi MokManager.efi fallback.efi 2>/dev/null
+    make VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null
    # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
-cp shim.efi shim-$suffix.efi
    chmod 755 %{SOURCE6} %{SOURCE7}
    # alternative: verify signature
    #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
@ -145,23 +159,32 @@ if ! cmp -s hash1 hash2; then
 	    if [ "${prj%%:*}" = "openSUSE" ]; then
 		    false
 	    fi
-fi
+	    mv shim.efi shim-$suffix.efi
+    else
 	    %{SOURCE6} %{SOURCE1} shim.efi
+	    mv shim-signed.efi shim-$suffix.efi
+	    rm -f shim.efi
+    fi
+    rm -f shim.cer shim.crt
+done
+
+ln -s shim-${suffixes[0]}.efi shim.efi

 %install
 export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi'
 install -d %{buildroot}/%{_libdir}/efi
-install -m 644 shim-*.efi %{buildroot}/%{_libdir}/efi
+cp -a shim*.efi %{buildroot}/%{_libdir}/efi
 install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi
-install -m 644 shim-signed.efi %{buildroot}/%{_libdir}/efi/shim.efi
 install -m 644 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi
 install -m 644 fallback.efi %{buildroot}/%{_libdir}/efi/fallback.efi
 install -d %{buildroot}/%{_sbindir}
 install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/
 # install SUSE certificate
-CERT_NAME=$(openssl x509 -sha1 -fingerprint -inform DER -in shim-*.der | grep "SHA1 Fingerprint" | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g')
 install -d %{buildroot}/%{_sysconfdir}/uefi/certs/
-install -m 444 shim-*.der %{buildroot}/%{_sysconfdir}/uefi/certs/$CERT_NAME.crt
+for file in shim-*.der; do
+    fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g')
+    install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/$fpr.crt
+done

 %clean
 %{?buildroot:%__rm -rf "%{buildroot}"}