# # spec file for package shim # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # needssslcertforbuild Name: shim Version: 0.4 Release: 0 Summary: UEFI shim loader License: BSD-2-Clause Group: System/Boot Url: https://github.com/mjg59/shim Source: %{name}-%{version}.tar.bz2 # run "extract_signature.sh shim.efi" where shim.efi is the binary # with the signature from the UEFI signing service. Source1: microsoft.asc Source2: openSUSE-UEFI-CA-Certificate.crt Source3: shim-install Source4: SLES-UEFI-CA-Certificate.crt Source5: extract_signature.sh Source6: attach_signature.sh Source7: show_hash.sh # PATCH-FIX-SUSE shim-suse-build.patch glin@suse.com -- Adjust Makefile for the build service Patch0: shim-suse-build.patch # PATCH-FIX-UPSTREAM shim-fix-pointer-casting.patch glin@suse.com -- Fix a casting issue and the size of an empty vendor_cert or dbx_cert. Patch1: shim-fix-pointer-casting.patch # PATCH-FIX-UPSTREAM shim-merge-lf-loader-code.patch glin@suse.com -- Merge the Linux Foundation loader UI code Patch2: shim-merge-lf-loader-code.patch # PATCH-FIX-UPSTREAM shim-fix-simple-file-selector.patch glin@suse.com -- Fix the buffer allocation in the simple file selector Patch3: shim-fix-simple-file-selector.patch # PATCH-FIX-UPSTREAM shim-mokmanager-support-crypt-hash-method.patch glin@suse.com -- Support the password hashes from /etc/shadow Patch4: shim-mokmanager-support-crypt-hash-method.patch # PATCH-FIX-UPSTREAM shim-bnc804631-fix-broken-bootpath.patch bnc#804631 glin@suse.com -- Fix the broken bootpath generated in generate_path() Patch5: shim-bnc804631-fix-broken-bootpath.patch # PATCH-FIX-UPSTREAM shim-bnc798043-no-doulbe-separators.patch bnc#798043 glin@suse.com -- Remove all double-separators from the bootpath Patch6: shim-bnc798043-no-doulbe-separators.patch # PATCH-FIX-UPSTREAM shim-bnc807760-change-pxe-2nd-loader-name.patch bnc#807760 glin@suse.com -- Change the PXE 2nd stage loader to match the filename we are using Patch7: shim-bnc807760-change-pxe-2nd-loader-name.patch # PATCH-FIX-UPSTREAM shim-bnc808106-correct-certcount.patch bnc#808106 glin@suse.com -- Correct the certifcate count of the signature list Patch8: shim-bnc808106-correct-certcount.patch # PATCH-FIX-UPSTREAM shim-mokmanager-ui-revamp.patch glin@suse.com -- Revamp the MokManager UI Patch9: shim-mokmanager-ui-revamp.patch BuildRequires: gnu-efi >= 3.0t BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 BuildRequires: pesign BuildRequires: pesign-obs-integration Requires: perl-Bootloader BuildRoot: %{_tmppath}/%{name}-%{version}-build Recommends: grub2-efi ExclusiveArch: x86_64 %description shim is a trivial EFI application that, when run, attempts to open and execute another application. Authors: -------- Matthew Garrett %prep %setup -q %patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %build chmod +x "make-certs" if test -e %{_sourcedir}/_projectcert.crt ; then prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash) prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash) opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash) slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash) if test "$prjissuer" = "$opensusesubject" ; then suffix=opensuse cert=%{SOURCE2} fi if test "$prjissuer" = "$slessubject" ; then suffix=sles cert=%{SOURCE4} fi if test "$prjsubject" = "$prjissuer" ; then suffix=local cert=%{_sourcedir}/_projectcert.crt fi fi if test -z "$suffix" ; then echo "cannot identify project, assuming openSUSE signing" suffix=opensuse cert=%{SOURCE2} fi openssl x509 -in $cert -outform DER -out shim-$suffix.der # create empty local cert file, we don't need a local key pair as we # sign the mokmanager with our vendor key touch shim.crt touch shim.cer # make sure cast warnings don't trigger post build check make VENDOR_CERT_FILE=shim-$suffix.der shim.efi MokManager.efi fallback.efi 2>/dev/null # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx cp shim.efi shim-$suffix.efi chmod 755 %{SOURCE6} %{SOURCE7} # alternative: verify signature #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi head -1 %{SOURCE1} > hash1 %{SOURCE7} shim.efi > hash2 cat hash1 hash2 if ! cmp -s hash1 hash2; then echo "ERROR: binary changed, need to request new signature!" # don't fail in devel projects prj="%{_project}" if [ "${prj%%:*}" = "openSUSE" ]; then false fi fi %{SOURCE6} %{SOURCE1} shim.efi %install export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi' install -d %{buildroot}/%{_libdir}/efi install -m 644 shim-*.efi %{buildroot}/%{_libdir}/efi install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi install -m 644 shim-signed.efi %{buildroot}/%{_libdir}/efi/shim.efi install -m 644 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi install -m 644 fallback.efi %{buildroot}/%{_libdir}/efi/fallback.efi install -d %{buildroot}/%{_sbindir} install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/ # install SUSE certificate CERT_NAME=$(openssl x509 -sha1 -fingerprint -inform DER -in shim-*.der | grep "SHA1 Fingerprint" | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g') install -d %{buildroot}/%{_sysconfdir}/uefi/certs/ install -m 444 shim-*.der %{buildroot}/%{_sysconfdir}/uefi/certs/$CERT_NAME.crt %clean %{?buildroot:%__rm -rf "%{buildroot}"} %post /sbin/update-bootloader --refresh || true %files %defattr(-,root,root) %doc COPYRIGHT %dir %{_libdir}/efi %{_libdir}/efi/shim.efi %{_libdir}/efi/shim-*.efi %{_libdir}/efi/shim-*.der %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi %{_sbindir}/shim-install %dir %{_sysconfdir}/uefi/ %dir %{_sysconfdir}/uefi/certs/ %{_sysconfdir}/uefi/certs/*.crt %changelog